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106th  congress 
1st  Session 


To  provide  individuals  with  access  to  health  information  of  which  they  are 
a  subject,  ensure  personal  privacy  with  respect  to  health-care-related 
information,  impose  criminal  and  civil  penalties  for  unauthorized  use 
of  protected  health  information,  to  provide  for  the  strong  enforcement 
of  these  rights,  and  to  protect  States'  rights. 


IN  THE  SENATE  OF  THE  UNITED  STATES 

March  10,  1999 

Mr.  Leahy  (for  himself,  Mr.  KENNEDY,  Mr.  Daschle,  and  Mr.  Dorgan)  in- 
troduced the  following  bill;  which  was  read  twice  and  referred  to  the  Com- 
mittee on  Health,  Education,  Labor,  and  Pensions 


A  BILL 

To  provide  individuals  with  access  to  health  information  of 
which  they  are  a  subject,  ensure  personal  privacy  with 
respect  to  health-care-related  information,  impose  crimi- 
nal and  civil  penalties  for  unauthorized  use  of  protected 
health  information,  to  provide  for  the  strong  enforcement 
of  these  rights,  and  to  protect  States'  rights. 

1  Be  it  enacted  by  the  Senate  and  House  of  Representa- 

2  tives  of  the  United  States  of  America  in  Congress  assembled, 

3  SECTION  1.  SHORT  TITLE;  TABLE  OF  CONTENTS. 

4  (a)  Short  Title. — This  Act  may  be  cited  as  the 

5  ''Medical  Information  Privacy  and  Security  Act". 
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1  (b)  Table  of  Contents. — The  table  of  contents  for 

2  this  Act  is  as  follows: 

Sec.  1.  Short  title;  table  of  contents. 
Sec.  2.  Findings. 
Sec.  3.  Purposes. 
Sec.  4.  Definitions. 

TITLE  I— INDIVIDUALS'  RIGHTS 


Subtitle  A — ^Access  to  Protected  Health  Information  by  Subjects  of  the 

Information 


Sec. 

101. 

Inspection  and  copying  of  protected  health  information. 

Sec. 

102. 

Supplements  to  protected  health  information. 

Sec. 

103. 

Notice  of  privacy  practices. 

Subtitle  B — Establishment  of  Safeguards 

Sec. 

111. 

Establishment  of  safeguards. 

Sec. 

112. 

Accounting  for  disclosures. 

TITLE  II— RESTRICTIONS  ON  USE  AND  DISCLOSURE 

Sec. 

201. 

General  rules  regarding  use  and  disclosure. 

Sec. 

202. 

Authorizations  for  disclosure  of  protected  health  information  for 

treatment  and  payment. 

Sec. 

203. 

Authorizations  for  disclosure  of  protected  health  information  other 

than  for  treatment  or  payment. 

Sec. 

204. 

Emergency  circumstances. 

Sec. 

205. 

Public  health. 

Sec. 

206. 

Protection  and  advocacy  agencies. 

Sec. 

207. 

Oversight. 

Sec. 

208. 

Disclosure  for  law  enforcement  purposes. 

Sec. 

209. 

Next  of  kin  and  directory  information. 

Sec. 

210. 

Health  research. 

Sec. 

211. 

Judicial  and  administrative  purposes. 

Sec. 

212. 

Individual  representatives. 

Sec. 

213. 

Prohibition  against  retaliation. 

TITLE  III— OFFICE  OF  HEALTH  INFORMATION  PRIVACY  OF  THE 
DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES 

Subtitle  A — Designation 

Sec.  301.  Designation. 

Subtitle  B — Enforcement 
CHAPTER  1— Criminal  Provisions 

Sec.  311.  Wrongful  disclosure  of  protected  health  information. 
Sec.  312.  Debarment  for  crimes.  \ 

CHAPTER  2— Civil  Sanctions 
Sec.  321.  Civil  penalty. 
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Sec.  322.  Procedures  for  imposition  of  penalties. 
Sec.  323.  Civil  action  by  individuals. 

TITLE  IV— MISCELLANEOUS 

Sec.  401.  Relationship  to  other  laws. 
Sec.  402.  Effective  date. 

1    SEC.  2.  FINDINGS. 


2  The  Congress  finds  as  follows: 

3  (1)  Individuals  have  a  right  of  privacy  with  re- 

4  spect  to  their  protected  health  information  and 

5  records. 

6  (2)  With  respect  to  information  about  medical 

7  care  and  health  status,  the  traditional  right  of  con- 

8  fidentiality  (between  a  health  care  provider  and  a 

9  patient)  is  at  risk. 

10  (3)  An  erosion  of  the  right  of  privacy  may  re- 

11  duce  the  willingness  of  patients  to  confide  in  physi- 

12  cians  and  other  practitioners  and  may  inhibit  pa- 

13  tients  from  seeking  care. 

14  (4)  An  individual's  privacy  right  means  that  the 

15  individual's  consent  is  needed  to  disclose  his  or  her 

16  protected  health  information  and  that  the  individual 

17  has  a  right  of  access  to  that  health  information. 

18  (5)  Any  disclosure  of  protected  health  informa- 

19  tion  should  be  limited  to  that  information  or  portion 

20  of  the  medical  record  necessary  to  fulfill  the  imme- 

21  diate  and  specific  purpose  of  the  disclosure. 
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1  (6)  Health  research  often  depends  on  access  to 

2  both  identifiable  and  de-identified  patient  health  in- 

3  formation  and  health  research  is  critically  important 

4  to  the  health  and  well-being  of  all  people  in  the 

5  United  States. 

6  (7)  The  Supreme  Court  found  in  Jaffee  v. 

7  Redmond  (116  S.Ct.  1923  (1996))  that  there  is  an 

8  imperative  need  for  confidence  and  trust  between  a 

9  psychotherapist  and  a  patient  and  that  such  trust 

10  can  only  be  established  by  an  assurance  of  confiden- 

11  tiality.  This  assurance  serves  the  public  interest  by 

12  facilitating  the  provision  of  appropriate  treatment 

13  for  individuals. 

14  (8)  Section  264  of  the  Health  Insurance  Port- 

15  abihty  and  Accountability  Act  of  1996  (42  U.S.C. 

16  1320d-2  note)  establishes  a  deadline  that  Congress 

17  enact  legislation,  before  August  21,  1999,  to  protect 

18  the  privacy  of  protected  health  information. 

19  SEC.  3.  PURPOSES. 

20  The  purposes  of  this  Act  are  as  follows: 

21  (1)  To  recognize  that  there  is  a  right  to  privacy 

22  with  respect  to  health  information,  including  genetic 

23  information,  and  that  this  right  must  be  protected. 
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1  (2)   To  create  incentives  to  turn  protected 

2  health  information  into  de-identified  health  informa- 

3  tion,  where  appropriate. 

4  (3)  To  designate  an  Office  of  Health  Informa- 

5  tion  Privacy  within  the  Department  of  Health  and 

6  Human  Services  to  protect  that  right  of  privacy. 

7  (4)  To  provide  individuals  with — 

8  (A)  access  to  health  information  of  which 

9  they  are  the  subject;  and 

10  (B)  the  opportunity  to  challenge  the  accu- 

11  racy  and  completeness  of  such  information  by 

12  being  able  to  file  supplements  to  such  informa- 

13  tion. 

14  (5)  To  provide  individuals  with  the  right  to 

15  limit  the  use  and  disclosure  of  protected  health  in- 

16  formation. 

17  (6)  To  establish  strong  and  effective  mecha- 

18  nisms  to  protect  against  the  unauthorized  and  inap- 

19  propriate  use  of  protected  health  information. 

20  (7)  To  invoke  the  sweep  of  congressional  pow- 

21  ers,  including  the  power  to  enforce  the  14th  amend- 

22  ment,  to  regulate  commerce,  and  to  abrogate  the  im- 

23  munity  of  the  States  under  the  11th  amendment,  in 

24  order  to  address  violations  of  the  rights  of  individ- 

25  uals  to  privacy,  to  provide  individuals  with  access  to 
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1  their  health  information,  and  to  prevent  unauthor- 

2  ized  use  of  protected  health  information  that  is  ge- 

3  netic  information. 

4  (8)  To  establish  strong  and  effective  remedies 

5  for  violations  of  this  Act. 

6  (9)  To  protect  the  rights  of  States. 

7  SEC.  4.  DEFINITIONS. 

8  In  this  Act: 

9  (1)  Administrative  billing  information. — 

10  The    term    "administrative    bilhng  information" 

1 1  means  any  of  the  following  forms  of  protected  health 

12  information: 

13  (A)  Date  of  service,  policy,  patient  identifi- 

14  ers,  and  practitioner  or  facility  identifiers. 

15  (B)  Diagnostic  codes,  in  accordance  with 

16  medicare  billing  codes,  for  which  treatment  is 

17  being  rendered  or  requested. 

18  (C)  Complexity  of  service  codes,  indicating 

19  duration  of  treatment. 

20  (D)  Total  billed  charges. 

21  (2)  Agent. — The  term  "agent"  means  a  person 

22  who  represents  and  acts  for  another  person  (a  prin- 

23  cipal)  under  a  contract  or  relationship  of  agency,  or 

24  whose  function  is  to  bring  about,  modify,  affect,  ac- 

25  cept  performance  of,  or  terminate,  contractual  obli- 
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1  gations  between  the  principal  and  a  third  person. 

2  With  respect  to  an  employer,  the  term  includes  the 

3  employees  of  the  employer. 

4  (3)  De-identified  health  information. — 

5  (A)  In  general. — The  term  "de-identified 

6  health  information"  means  any  protected  health 

7  information,  with  respect  to  which — 

8  (i)  all  personal  identifiers,  or  other  in- 

9  formation  that  may  be  used  by  itself  or  in 

10  combination  with  other  information  which 

11  may  be  available  to  re-identify  the  subject 

12  of  the  information,  have  been  removed;  and 

13  (ii)  a  good  faith  effort  to  evaluate  the 

14  risks  of  re-identification  of  the  subject  of 

15  such  information  in  the  context  in  which  it 

16  will  be  used  or  disclosed,  has  been  made. 

17  (B)  Examples. — The  term  includes  aggre- 

18  gate  statistics,  redacted  health  information,  in- 

19  formation  in  which  random  or  fictitious  alter- 

20  natives  have  been  substituted  for  personally 
.21  identifiable   information,   and  information  in 

22  which  personally  identifiable  information  has 

23  been  encrypted  and  the  decryption  key  is  main- 

24  tained  by  a  person  otherwise  authorized  to  have 
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1  access  to  such  protected  health  information  in 

2  an  identifiable  format. 

3  (4)  Disclose. — The  term  "disclose"  means  to 

4  release,  publish,  share,  transfer,  transmit,  dissemi- 

5  nate,  show,  permit  access  to,  re-identify,  or  other- 

6  wise  divulge  protected  health  information  to  any  per- 

7  son  other  than  the  individual  who  is  the  subject  of 

8  such  information.  The  term  includes  the  initial  dis- 

9  closure  and  any  subsequent  redisclosure  of  protected 

10  health  information. 

11  (5)  Deckyption  key. — The  term  "decryption 

12  key"  means  the  variable  information  used  in  or  pro- 

13  duced  by  a  mathematical  formula,  code,  or  algo- 

14  rithm,  or  any  component  thereof,  used  to  encrypt  or 

15  decrypt  wire  or  electronic  communications  or  elec- 

16  tronically  stored  information. 

17  (6)  Employer. — The  term  "employer"  means 

18  a  person  engaged  in  business  affecting  commerce 

19  who  has  employees. 

20  (7)    Encryption. — The    term  "encryption" 

21  means  the  scrambling  of  electronic  or  wire  commu- 

22  nications  or  electronically  stored  information  using 

23  mathematical  formulas  or  algorithms  sufficient  to 

24  preserve  the  confidentiality,  integrity,  and  authentic- 

25  ity  of  such  communications  or  information. 
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1  (8)  Health  care. — The  term  "health  care" 

2  means — 

3  (A)  preventive,  diagnostic,  therapeutic,  re- 

4  habihtative,  maintenance,  or  palhative  care,  in- 

5  eluding  appropriate  assistance  with  disease  or 

6  symptom  management  and  maintenance,  coun- 

7  seling,  service,  or  procedure — 

8  (i)  with  respect  to  the  physical  or 

9  mental  condition  of  an  individual;  or 

10  (ii)  affecting  the  structure  or  function 

11  of  the  human  body  or  any  part  of  the 

12  human  body,   including  the  banking  of 

13  blood,  sperm,  organs,  or  any  other  tissue; 

14  and 

15  (B)  any  sale  or  dispensing  of  a  drug,  de- 

16  vice,  equipment,  or  other  health  care  related 

17  item  to  an  individual,  or  for  the  use  of  an  indi- 

18  vidual,  pursuant  to  a  prescription. 

19  (9)    Health    care    provider. — The  term 

20  "health  care  provider"  means  a  person  who,  with  re- 

21  spect  to  a  specific  item  of  protected  health  informa- 

22  tion,  receives,  creates,  uses,  maintains,  or  discloses 

23  the  information  while  acting  in  whole  or  in  part  in 

24  the  capacity  of — 
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1  (A)  a  person  who  is  licensed,  certified,  reg- 

2  istered,  or  otherwise  authorized  by  Federal  or 

3  State  law  to  provide  an  item  or  service  that 

4  constitutes  health  care  in  the  ordinary  course  of 

5  business,  or  practice  of  a  profession; 

6  (B)  a  Federal  or  State  program  that  di- 

7  rectly  provides  items  or  services  that  constitute 

8  health  care  to  beneficiaries;  or 

9  (C)  an  officer  or  employee  or  agent  of  a 

10  person  described  in  subparagraph  (A)  or  (B) 

11  who  is  engaged  in  the  provision  of  health  care 

12  or  who  uses  health  information. 

13  (10)  Health  or  life  insurer. — The  term 

14  "health  or  life  insurer"  means  a  health  insurance 

15  issuer  (as  defined  in  section  9805(b)(2)  of  the  Inter- 

16  nal  Revenue  Code  of  1986)  or  a  life  insurance  com- 

17  pany  (as  defined  in  section  816  of  such  Code)  and 

18  includes  the  employees  and  agents  of  such  a  person. 

19  (11)  Health  oversight  agency. — The  term 

20  "health  oversight  agency" — 

21  (A)  means  a  person  who — 

22  (i)  performs  or  oversees  the  perform- 

23  ance  of  an  assessment,  investigation,  or 

24  prosecution  relating  to  compliance  with 

25  legal  or  fiscal  standards  relating  to  health 
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1  care  fraud  or  fraudulent  claims  regarding 

2  health  care,  health  services  or  equipment, 

3  or  related  activities  and  items;  and 

4  (ii)  is  a  public  executive  branch  agen- 

5  cy,  acting  on  behalf  of  a  public  executive 

6  branch  agency,  acting  pursuant  to  a  re- 

7  quirement  of  a  public  executive  branch 

8  agency,  or  carrying  out  activities  under  a 

9  Federal  or  State  law  governing  an  assess- 

10  ment,  evaluation,  determination,  investiga- 

11  tion,  or  prosecution  described  in  clause  (i); 

12  and 

13  (B)  includes  the  employees  and  agents  of 

14  such  a  person. 

15  (12)  Health  plan. — The  term  "health  plan" 

16  means  any  health  insurance  plan,  including  any  hos- 

17  pital  or  medical  service  plan,  dental  or  other  health 

18  service  plan  or  health  maintenance  organization 

19  plan,  or  other  program  providing  or  arranging  for 

20  the  provision  of  health  benefits,  whether  or  not  fund- 

21  ed  through  the  purchase  of  insurance.  The  term  in- 

22  eludes  employee  welfare  benefit  plans  and  group 

23  plans  (as  defined  in  sections  3  and  607  of  the  Em- 

24  ployee  Retirement  Income  Security  Act  of  1974  (29 

25  U.S.C.  1002  and  1167)). 
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1  (13)  Health  researcher. — The  term  "health 

2  researcher"  means  a  person  who,  with  respect  to  a 

3  specific  item  of  protected  health  information,  re- 

4  ceives  the  information — 

5  (A)  pursuant  to  section  210  (relating  to 

6  health  research);  or 

7  (B)  while  acting  in  whole  or  in  part  in  the 

8  capacity  of  an  officer,  employee,  or  agent  of  a 

9  person  who  receives  the  information  pursuant 

10  to  such  section. 

11  (14)  Law  enforcement  inquiry. — The  term 

12  "law  enforcement  inquiry"  means  a  lawful  executive 

13  branch  investigation  or  official  proceeding  inquiring 

14  into  a  violation  of,  or  failure  to  comply  with,  any 

15  criminal  or  civil  statute  or  any  regulation,  rule,  or 

16  order  issued  pursuant  to  such  a  statute. 

17  (15)  Office  of  health  information  pri- 

18  VACY. — The  term  "Office  of  Health  Information  Pri- 

19  vacy"  means  the  Office  of  Health  Information  Pri- 

20  vacy  designated  under  section  301. 

21  (16)  Person. — The  term  "person"  means  a 

22  government,  governmental  subdivision  of  an  execu- 

23  tive  branch  agency  or  authority;  corporation;  com- 

24  pany;  association;  firm;  partnership;  society;  estate; 
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1  trust;  joint  venture;  individual;  individual  represent- 

2  ative;  tribal  government;  and  any  other  legal  entity. 

3  (17)  Protected  health  information. — 

4  (A)  In  general. — The  term  "protected 

5  health  information"  means  any  information,  in- 

6  eluding  genetic  information,  demographic  infor- 

7  mation,  and  tissue  samples  collected  from  an 

8  individual,  whether  oral  or  recorded  in  any  form 

9  or  medium,  that — 

10  (i)  is  created  or  received  by  a  health 

11  care  provider,  health  researcher,  health 

12  plan,  health  oversight  agency,  public  health 

13  authority,  employer,  health  or  life  insurer, 

14  school  or  university;  and 

15  (ii)(I)  relates  to  the  past,  present,  or 

16  future  physical  or  mental  health  or  condi- 

17  tion  of  an  individual  (including  individual 

18  cells  and  their  components),  the  provision 

19  of  health  care  to  an  individual,  or  the  past, 

20  present,  or  future  payment  for  the  provi- 

21  sion  of  health  care  to  an  individual;  and 

22  (II) (aa)  identifies  an  individual;  or 

23  (bb)  with  respect  to  which  there  is  a 

24  reasonable  basis  to  believe  that  the  infor- 
ms 573  IS 
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1  mation  can  be  used  to  identify  an  individ- 

2  ual;  and 

3  (B)  Decryption  key. — The  term  "pro- 

4  teeted  health  information"  includes  any  infor- 

5  mation  described  in  paragraph  (5). 

6  (18)  Public  health  authority. — The  term 

7  "public  health  authority"  means  an  authority  or  in- 

8  strumentality  of  the  United  States,  a  tribal  govern- 

9  ment,  a  State,  or  a  political  subdivision  of  a  State 

10  that  is — 

11  (A)  primarily  responsible  for  public  health 

12  matters;  and 

13  (B)  primarily  engaged  in  activities  such  as 

14  injury  reporting,  public  health  surveillance,  and 

15  public  health  investigation  or  intervention. 

16  (19)  Re-identify. — The  term  "re-identify", 

17  when  used  with  respect  to  de-identified  health  infor- 

18  mation,  means  an  attempt,  successful  or  otherwise, 

19  to  ascertain — 

20  (A)  the  identity  of  the  individual  who  is 

21  the  subject  of  such  information;  or 

22  (B)  the  decryption  key  with  respect  to  the 

23  information  (when  undertaken  with  knowledge 

24  that  such  key  would  allow  for  the  identification 
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1  of  the  individual  who  is  the  subject  of  such  in- 

2  formation). 

3  (20)    School   or   university. — The  term 

4  "school  or  university"  means  an  institution  or  place 

5  for  instruction  or  education,  including  an  elementary 

6  school,  secondary  school,  or  institution  of  higher 

7  learning,  a  college,  or  an  assemblage  of  colleges 

8  united  under  one  corporate  organization  or  govern- 

9  ment. 

10  (21)     Secretary. — The    term  "Secretary" 

1 1  means  the  Secretary  of  Health  and  Human  Services. 

12  (22)  State.— The  term  "State"  includes  the 

13  District  of  Columbia,  Puerto  Rico,  the  Virgin  Is- 

14  lands,  Guam,  American  Samoa,  and  the  Northern 

15  Mariana  Islands. 

16  (23)     To     THE     MAXIMUM     EXTENT  PRAC- 

17  TICABLE. — The  term  "to  the  maximum  extent  prac- 

18  ticable"  means  the  level  of  comphance  that  a  reason- 

19  able  person  would  deem  technologically  feasible  so 

20  long  as  such  feasibility  is  periodically  evaluated  in 

21  light  of  scientific  advances. 

22  (24)  Writing. — The  term   "writing"  means 

23  writing  in  either  a  paper-based  or  computer-based 

24  form,  including  electronic  and  digital  signatures. 
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1  TITLE  I— INDIVIDUALS'  RIGHTS 

2  Subtitle  A— Access    to  Protected 

3  Health  Information  by  Subjects 

4  of  the  Information 

5  SEC.    101.   INSPECTION  AND   COPYING   OF  PROTECTED 

6  HEALTH  INFORMATION. 

7  (a)  Right  of  Individual. — 

8  (1)   In   general. — health  care  provider, 

9  health  plan,  employer,  health  or  life  insurer,  school, 

10  or  university,  or  a  person  acting  as  the  agent  of  any 

11  such  person,  shall  permit  an  individual  who  is  the 

12  subject  of  protected  health  information,  or  the  indi- 

13  vidual's  designee,  to  inspect  and  copy  protected 

14  health  information  concerning  the  individual,  includ- 

15  ing  records  created  under  sections  102,  112,  202, 

16  203,  208,  and  211,  that  such  person  maintains. 

17  (2)  Procedures  and  fees. — person  de- 

18  scribed  in  paragraph  (1)  may  set  forth  appropriate 

19  procedures  to  be  followed  for  inspection  and  copying 

20  under  such  paragraph  and  may  require  an  individual 

21  to  pay  fees  associated  with  such  inspection  and  copy- 

22  ing  in  an  amount  that  is  not  in  excess  of  the  actual 

23  costs  of  providing  such  copying.  Such  fees  may  not 

24  be  assessed  where  such  an  assessment  would  have 

25  the  effect  of  inhibiting  an  individual  from  gaining 
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1  access  to  the  information  described  in  paragraph 

2  (1). 

3  (b)  Deadline. — person  described  in  subsection 

4  (a)(1)  shall  comply  with  a  request  for  inspection  or  copy- 

5  ing  of  protected  health  information  under  this  section  not 

6  later  than  15  business  days  after  the  date  on  which  the 

7  person  receives  the  request. 

8  (c)  Rules  Governing  Agents. — person  acting  as 

9  the  agent  of  a  person  described  in  subsection  (a)  shall  pro- 

10  vide  for  the  inspection  and  copying  of  protected  health  in- 

1 1  formation  if — 

12  (1)  the  protected  health  information  is  retained 

13  by  the  agent;  and 

14  (2)  the  agent  has  been  asked  by  the  person  in- 

15  volved  to  fulfill  the  requirements  of  this  section. 

16  (d)  Special  Rule  Relating  to  Ongoing  Clinical 

17  Trials. — ^With  respect  to  protected  health  information 

18  that  is  created  as  part  of  an  individual's  participation  in 

19  an  ongoing  clinical  trial,  access  to  the  information  shall 

20  be  provided  consistent  with  the  individual's  agreement  to 

21  participate  in  the  clinical  trial. 

22  SEC.  102.  SUPPLEMENTS  TO  PROTECTED  HEALTH  INFOR- 

23  MATION. 

24  (a)  In  General. — Not  later  than  45  days  after  the 

25  date  on  which  a  health  care  provider,  health  plan,  em- 


S  573  IS  --  3 


18 

1  ployer,  health  or  hfe  insurer,  school,  or  university,  or  a 

2  person  acting  as  the  agent  of  any  such  person,  receives 

3  from  an  individual  a  request  in  writing  to  supplement  pro- 

4  tected  health  information  concerning  the  individual,  such 

5  person — 


6  (1)  shall  add  the  supplement  requested  to  the 

7  information; 

8  (2)  shall  inform  the  individual  that  the  supple- 

9  ment  has  been  made;  and 

10  (3)  shall  make  reasonable  efforts  to  inform  any 

11  person  to  whom  the  portion  of  the  unsupplemented 

12  information  was  previously  disclosed,  of  any  sub- 

13  stantive  supplement  that  has  been  made. 

14  (b)  Refusal  To  Supplement. — If  a  person  de- 

15  scribed  in  subsection  (a)  declines  to  make  the  supplement 

16  requested  under  such  subsection,  the  person  shall  inform 

17  the  individual  in  writing  of — 

18  (1)  the  reasons  for  dechning  to  make  the  sup- 

19  plement; 

20  (2)  any  procedures  for  further  review  of  the  de- 

21  dining  of  such  supplement;  and 

22  (3)  the  individual's  right  to  file  with  the  person 

23  a  concise  statement  setting  forth  the  requested  sup- 

24  plement  and  the  individual's  reasons  for  disagreeing 

25  with  the  dechning  person  and  the  individual's  right 
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1  to  include  a  copy  of  this  refusal  in  his  or  her  health 

2  record. 

3  (c)  Statement  of  Disagreement. — ^If  an  individ- 

4  ual  has  filed  with  a  person  a  statement  of  disagreement 

5  under  subsection  (b)(3),  the  person,  in  any  subsequent  dis- 

6  closure  of  the  disputed  portion  of  the  information — 

7  (1)  shall  include,  at  the  individual's  request,  a 

8  copy  of  the  individual's  statement;  and 

9  (2)  may  include  a  concise  statement  of  the  rea- 

10  sons  for  not  making  the  requested  supplement. 

1 1  (d)  Rules  Governing  Agents. — person  acting  as 

12  the  agent  of  a  person  described  in  subsection  (a)  shall  not 

13  be  required  to  make  a  supplement  to  protected  health  in- 

14  formation,  except  where — 

15  (1)  the  protected  health  information  is  retained 

16  by  the  agent;  and 

17  (2)  the  agent  has  been  asked  by  such  person  to 

18  fulfill  the  requirements  of  this  section. 

19  SEC.  103.  NOTICE  OF  PRIVACY  PRACTICES. 

20  (a)  Preparation  of  Written  Notice. — health 

21  care  provider,  health  plan,  health  oversight  agency,  public 

22  health  authority,  employer,  health  or  life  insurer,  school, 

23  or  university,  or  a  person  acting  as  the  agent  of  any  such 

24  person,  shall  prepare  a  written  notice  of  the  privacy  prac- 
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1  tices  of  the  person  that  provides  information  with  respect 

2  to  the  following: 


3  (1)  The  procedures  for  an  individual  to  author- 

4  ize  disclosures  of  protected  health  information,  and 

5  to  object  to,  modify,  and  revoke  such  authorizations. 

6  (2)  The  right  of  an  individual  to  inspect,  copy, 

7  and  supplement  the  protected  health  information. 

8  (3)  The  right  of  an  individual  not  to  have  em- 

9  ployment  or  the  receipt  of  services  conditioned  upon 

10  the  execution  by  the  individual  of  an  authorization 

1 1  for  disclosure. 

12  (4)  A  description  of  the  categories  or  types  of 

13  employees,  by  general  category  or  by  general  job  de- 

14  scription,  who  have  access  to  or  use  of  protected 

15  health  information  within  the  person. 

16  (5)  A  simple,  concise  description  of  any  infor- 

17  mation  systems  used  to  store  or  transmit  protected 

18  health  information,  including  a  description  of  any 

19  linkages  made  with  other  electronic  systems  or  data- 

20  bases  outside  the  person. 

21  (6)  The  right  of  the  individual  to  request  seg- 

22  regation  of  protected  health  information,  and  to  re- 

23  strict  the  use  of  such  information  by  employees, 

24  agents,  and  contractors  of  a  person. 
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1  (7)  The  circumstances  under  which  the  infor- 

2  mation  may  be  used  or  disclosed  without  an  author- 

3  ization  executed  by  the  individual. 

4  (8)  A  statement  that  an  individual  may  elect  to 

5  pay  for  health  care  from  the  individual's  own  funds 

6  and  information  on  the  right  of  such  an  individual 

7  to  elect  for  identifying  information  not  to  be  dis- 

8  closed  to  anyone  other  than  health  care  providers, 

9  unless  such  disclosure  is  required  by  mandatory  re- 

10  porting  requirements  or  other  similar  information 

1 1  collection  duties  required  by  law. 

12  (b)  Provision  and  Posting  of  Written  No- 

13  TICE. — 

14  (1)  Provision. — person  described  in  sub- 

15  section  (a)  shall  provide  a  copy  of  the  written  notice 

16  of     privacy     practices     required     under  such 

17  subsection — 

18  (A)  at  the  time  an  authorization  is  sought 

19  for  disclosure  of  protected  health  information; 

20  and 

21  (B)  upon  the  request  of  an  individual. 

22  (2)  Posting. — ^A  person  described  in  subsection 

23  (a)  shall  post,  in  a  clear  and  conspicuous  manner,  a 

24  brief  summary  of  the  privacy  practices  of  the  person. 
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1  (c)  Model  Notice. — The  Secretaiy,  in  consultation 

2  with  the  Director  of  the  Office  of  Health  Information  Pri- 

3  vacy  appointed  under  section  301,  after  notice  and  oppor- 

4  tunity  for  public  comment,  shall  develop  and  disseminate 

5  model  notices  of  privacy  practices,  and  model  summary 

6  notices  for  posting,  for  use  under  this  section.  Use  of  such 

7  a  model  notice  shall  be  deemed  to  satisfy  the  requirements 

8  of  this  section. 

9  Subtitle  B — Establishment  of 

10  Safeguards 

1 1  SEC.  111.  ESTABLISHMENT  OF  SAFEGUARDS. 

12  (a)  In  General. — health  care  provider,  health 

13  plan,  health  oversight  agency,  public  health  authority,  em- 

14  ployer,  health  researcher,  law  enforcement  official,  health 

15  or  life  insurer,  school,  or  university,  or  a  person  acting 

16  as  the  agent  of  any  such  person,  shall  establish  and  main- 

17  tain  appropriate  administrative,  organizational,  technical, 

1 8  and  physical  safeguards  and  procedures  to  ensure  the  con- 

19  fidentiality,  security,  accuracy,  and  integrity  of  protected 

20  health  information  created,  received,  obtained,  main- 

21  tained,  used,  transmitted,  or  disposed  of  by  such  person. 

22  (b)  Factors  To  Be  Considered. — The  policies  and 

23  safeguards  under  subsection  (a)  shall  ensure  that — 

24  (1)  protected  health  information  is  used  or  dis- 

25  closed  only  when  necessary; 
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1  (2)  the  categories  of  personnel  who  will  have  ae- 

2  cess  to  protected  health  information  are  identified; 

3  and 

4  (3)  the  feasibility  of  limiting  access  to  protected 

5  health  information  is  considered. 

6  (c)  Model  Guidelines. — The  Secretary,  in  eon- 

7  sultation  with  the  Director  of  the  Office  of  Health  Infor- 

8  mation  Privacy  appointed  under  section  301,  after  notice 

9  and  opportunity  for  pubhc  comment,  shall  develop  and  dis- 

10  seminate  model  guidelines  for  the  establishment  of  safe- 

11  guards  and  procedures  for  use  under  this  section,  such 

12  as,  where  appropriate,  individual  authentication  of  uses  of 

13  computer  systems,  access  controls,  audit  trails,  encryption, 

14  physical  security,  protection  of  remote  access  points  and 

15  protection  of  external  electronic  communications,  periodic 

16  security  assessments,  incident  reports,  and  sanctions.  The 

17  director  shall  update  and  disseminate  the  guidelines,  as 

18  appropriate,  to  take  advantage  of  new  technologies. 

1 9  SEC.  112.  ACCOUNTING  FOR  DISCLOSURES. 

20  (a)  In  General. — health  care  provider,  health 

21  plan,  health  oversight  agency,  public  health  authority,  em- 

22  ployer,  health  researcher,  law  enforcement  official,  health 

23  or  life  insurer,  school,  or  university,  or  a  person  acting 

24  as  the  agent  of  any  such  person,  shall  establish  and  main- 

25  tain,  with  respect  to  any  protected  health  information  dis- 
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1  closure  that  is  not  related  to  payment  or  treatment,  a 

2  record  of  the  disclosure  in  accordance  with  reflations 

3  issued  by  the  Secretary  in  consultation  with  the  Director 

4  of  the  Office  of  Health  Information  Privacy. 

5  (b)  Maintenance  of  Record. — record  estab- 

6  hshed  under  subsection  (a)  shall  be  maintained  for  not  less 

7  than  7  years. 

8  (c)  Electronic  Records. — health  care  provider, 

9  health  plan,  health  oversight  agency,  public  health  author- 

10  ity,  employer,  health  researcher,  law  enforcement  official, 

11  health  or  life  insurer,  school,  or  university,  or  a  person 

12  acting  as  the  agent  of  any  such  person,  shall,  to  the  maxi- 

13  mum  extent  practicable,  maintain  an  accessible  electronic 

14  record  concerning  each  access,  or  attempt  to  access, 

15  whether  authorized  or  unauthorized,  successful  or  unsuc- 

16  cessfal,  protected  health  information  maintained  by  such 

17  person  in  electronic  form.  The  record  shall  include  the 

18  identity  of  the  specific  individual  accessing  or  attempting 

19  to  gain  such  access  (or  a  way  to  identify  that  individual 

20  or  information  helpful  in  determining  the  identity  of  such 

21  individual),  information  sufficient  to  identify  the  protected 

22  health  information  sought  or  accessed,  and  other  appro- 

23  priate  information. 
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1  TITLE  II— RESTRICTIONS  ON 

2  USE  AND  DISCLOSURE 

3  SEC.  201.  GENERAL  RULES  REGARDING  USE  AND  DISCLO- 

4  SURE. 

5  (a)  Prohibition. — 

6  (1)  General  rule. — health  care  provider, 

7  health  plan,  health  oversight  agency,  public  health 

8  authority,  employer,  health  researcher,  law  enforce- 

9  ment  official,  health  or  life  insurer,  school,  or  univer- 

10  sity  may  not  disclose  or  use  protected  health  infor- 

1 1  mation  except  as  authorized  under  this  Act. 

12  (2)  Rule  of  construction. — Disclosure  of 

13  de-identified  health  information  shall  not  be  con- 

14  strued  as  a  disclosure  of  protected  health  informa- 

15  tion. 

16  (b)  Scope  of  Disclosure. — 

17  (1)  In  general. — disclosure  of  protected 

18  health  information  under  this  title  shall  be  limited  to 

19  the  minimum  amount  of  information  necessary  to 

20  accomplish  the  purpose  for  which  the  disclosure  is 

21  made. 

22  (2)  Determination. — The  determination  as  to 

23  what  constitutes  the  minimum  disclosure  possible  for 

24  purposes  of  paragraph  (1)  shall  be  made  by  a  health 

25  care  provider. 
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1  (c)  Use  or  Disclosure  for  Purpose  Only. — 

2  recipient  of  information  pursuant  to  this  title  may  use  or 

3  disclose  such  information  solely  to  carry  out  the  purpose 

4  for  which  the  information  was  disclosed. 

5  (d)  No  General  Requirement  To  Disclose. — 

6  Nothing  in  this  title  permitting  the  disclosure  of  protected 

7  health  information  shall  be  construed  to  require  such  dis- 

8  closure. 

9  (e)  Identification  of  Disclosed  Information  as 

10  Protected  Health  Information. — Protected  health 

1 1  information  disclosed  pursuant  to  this  title  shall  be  clearly 

12  identified  as  protected  health  information  that  is  subject 

13  to  this  Act. 

14  (f)  Disclosure  by  Agents. — ^An  agent  of  a  person 

15  described  in  subsection  (a)(1),  who  receives  protected 

16  health  information  from  the  person  while  acting  within  the 

17  scope  of  the  agency,  shall  be  subject  to  this  title  to  the 

18  same  extent  as  the  person  and  for  the  duration  of  the  pe- 

19  riod  in  which  the  agent  holds  the  information. 

20  (g)  Creation  of  De-Identified  Information. — 

21  Notwithstanding  subsection  (c),  but  subject  to  the  other 

22  provisions  of  this  section,  a  person  described  in  subsection 

23  (a)(1)  may  disclose  protected  health  information  to  an  em- 

24  ployee  or  other  agent  of  the  person  for  purposes  of  creat- 

25  ing  de-identified  information. 
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1  (h)  Unauthorized  Use  or  Disclosure  of  the 

2  Decryption  Key. — The  unauthorized  disclosure  of  a 

3  decryption  key  shall  be  deemed  to  be  a  disclosure  of  pro- 

4  tected  health  information.  The  unauthorized  use  of  a 

5  decryption  key  or  de-identified  health  information  in  order 

6  to  identify  an  individual  is  deemed  to  be  disclosure  of  pro- 

7  tected  health  information. 

8  (i)  No  Waiver. — Except  as  provided  in  this  Act,  an 

9  authorization  to  disclose  personally  identifiable  health  in- 

10  formation  executed  by  an  individual  pursuant  to  section 

11  202  or  203  shall  not  be  construed  as  a  waiver  of  any  rights 

12  that  the  individual  has  under  other  Federal  or  State  laws, 

13  the  rules  of  evidence,  or  common  law. 

14  (j )  Definitions. — For  purposes  of  this  title: 

15  (1)  Investigative  or  law  enforcement  of- 

16  FICER. — The  term  "investigative  or  law  enforcement 

17  officer"  means  any  officer  of  the  United  States  or  of 

18  a  State  or  political  subdivision  thereof,  who  is  em- 

19  powered  by  law  to  conduct  investigations  of,  or  to 

20  make  arrests  for,  criminal  offenses,  and  any  attor- 

21  ney  authorized  by  law  to  prosecute  or  participate  in 

22  the  prosecution  of  such  offenses. 

23  (2)  Segregate. — The  term  "segregate"  means 

24  to  place  a  designated  subset  of  an  individuals  pro- 

25  tected  health  information  in  a  location  or  computer 
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1  file  that  is  separate  from  the  location  or  computer 

2  file  used  to  store  protected  health  information  and 

3  where  access  to  or  use  of  any  information  so  seg- 

4  related  may  be  effectively  limited  to  those  persons 

5  who  are  authorized  by  the  individual  to  access  or  use 

6  such  information. 

7  (3)  Signed. — The  term  ''signed"  refers  to  both 

8  signatures  in  ink  and  electronic  signatures,  and  the 

9  term  "written"  refers  to  both  paper  and  computer- 

10  ized  formats. 

11  SEC.  202.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 

12  TECTED  HEALTH  INFORMATION  FOR  TREAT- 

1 3  MENT  AND  PAYMENT. 

14  (a)  Requirements  Relating  to  Employers, 

15  Health  Plans,  Health  or  Life  Insurers,  Unin- 

16  suRED  Individuals,  and  Providers. — 

17  (1)  In  general. — To  satisfy  the  requirement 

18  under  section  201(a)(1),  an  employer,  health  plan, 

19  health  or  life  insurer,  or  health  care  provider  that 

20  seeks  to  disclose  protected  health  information  in  con- 

21  nection  with  treatment  or  payment  shall  obtain  an 

22  authorization  that  satisfies  the  requirements  of  this 

23  section.  The  authorization  may  be  a  single  author- 

24  ization. 
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1  (2)  Employers. — Every  employer  offering-  a 

2  health  plan  to  its  employees  shall,  at  the  time  of  an 

3  employee's  enrollment  in  the  health  plan,  obtain  a 

4  signed,  written  authorization  that  is  a  legal,  in- 

5  formed  authorization  that  satisfies  the  requirements 

6  of  subsection  (b)  concerning  the  use  and  disclosure 

7  of  protected  health  information  for  treatment  or 

8  payment  with  respect  to  each  individual  who  is  eligi- 

9  ble  to  receive  care  under  the  health  plan. 

10  (3)  Health  plans,  health  or  life  insur- 

11  ERS. — Every  health  plan  or  health  or  life  insurer  of- 

12  fering   enrollment   to    individual   or  nonemployer 

13  groups  shall,  at  the  time  of  enrollment  in  the  plan 

14  or  insurance,  obtain  a  signed,  written  authorization 

15  that  is  a  legal,  informed  authorization  that  satisfies 

16  the  requirements  of  subsection  (b)  concerning  the 

17  use  and  disclosure  of  protected  health  information 

18  with  respect  to  each  individual  who  is  eligible  to  re- 

19  ceive  care  under  the  plan  or  insurance. 

20  (4)  Uninsured. — ^An  originating  provider  pro- 

21  viding  health  care  in  other  than  a  network  plan  set- 

22  ting,  or  providing  health  care  to  an  uninsured  indi- 

23  vidual,  shall  obtain  a  signed,  written  authorization 

24  that  satisfies  the  requirements  of  subsection  (b)  to 

25  use  protected  health  information  in  providing  health 
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1  care  or  arranging  for  health  care  from  other  provid- 

2  ers  or  seeking  payment  for  the  provision  of  health 

3  care  services. 

4  (5)  P^VIDERS. — 

5  /'  (A)  In  general. — Every  health  care  pro- 

6  vider  providing  health  care  to  an  individual  who 

7  has  not  given  the  appropriate  authorization 

8  under  this  section  shall,  at  the  time  of  provid- 

9  ing  such  care,  obtain  a  signed,  written  author- 

10  ization  that  is  a  legal,  informed  authorization, 

11  that  satisfies  the  requirements  of  subsection 

12  (b),  concerning  the  use  and  disclosure  of  pro- 

13  tected  health  information  with  respect  to  such 

14  individual. 

15  (B)  Rule  of  construction. — Subpara- 

16  graph  (A)  shall  not  be  construed  to  preclude 

17  the  provision  of  health  care  to  an  individual 

18  who  has  not  given  appropriate  authorization 

19  prior  to  receipt  of  such  care  if — 

20  (i)  the  health  care  provider  involved 

21  determines  that  such  care  is  essential;  and 

22  (ii)  the  individual  can  reasonably  be 

23  expected  to  sign  an  authorization  for  such 

24  care  when  appropriate. 
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1  (b)  Requirements  for  Individual  Authoriza- 

2  TION. — To  satisfy  the  requirements  of  this  subsection,  an 

3  authorization  to  disclose  protected  health  information — 

4  (1)  shall  identify,  by  general  job  description  or 

5  other  functional  description,  persons  authorized  to 

6  disclose  the  information; 

7  (2)  shall  describe  the  nature  of  the  information 

8  to  be  disclosed; 

9  (3)  shall  identify,  by  general  job  description  or 

10  other  functional  description,  persons  to  whom  the  in- 

11  formation  is  to  be  disclosed,  including  individuals 

12  employed  by,  or  operating  within,  an  entity  to  which 

13  information  is  authorized  to  be  disclosed; 

14  (4)  shall  describe  the  purpose  of  the  disclosures; 

15  (5)  shall  permit  the  executing  individual  to  indi- 

16  cate  that  a  particular  individual  listed  on  the  author- 

17  ization  is  not  authorized  to  receive  protected  health 

18  information  concerning  the  individual,  except  as  pro- 

19  vided  for  in  subsection  (c)(3); 

20  (6)  shall  provide  the  means  by  which  an  individ- 

21  ual  may  indicate  that  some  of  the  individual's  pro- 

22  tected  health  information  should  be  segregated  and 

23  to  what  persons  such  segregated  information  may  be 

24  disclosed; 
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1  (7)  shall  be  subject  to  revocation  by  the  individ- 

2  ual  and  indicate  that  the  authorization  is  valid  until 

3  revocation  by  the  individual  or  until  an  event  or  date 

4  specified;  and 

5  -  (8)(A)  shall  be— 

6  (i)  in  writing,  dated,  and  signed  by  the  in- 

7  dividual;  or 

8  (ii)  in  electronic  form,  dated  and  authenti- 

9  cated  by  the  individual  using  an  authentication 

10  method  approved  by  the  Secretary;  and 

11  (B)  shall  not  have  been  revoked  under  subpara- 

12  graph  (A). 

13  (c)  Limitation  ON  Authorizations. — 

14  (1)  In  general. — Subject  to  paragraphs  (2) 

15  and  (3),  a  person  described  in  subsection  (a)  who 

16  seeks  an  authorization  under  such  subsection  may 

17  not  condition  the  delivery  of  treatment  or  payment 

18  for  services  on  the  receipt  of  such  an  authorization. 

19  (2)  Right  to  require  self  payment. — If  an 

20  individual  has  refused  to  provide  an  authorization 

21  for  disclosure  of  administrative  billing  information  to 

22  a  person  and  such  authorization  is  necessary  for  a 

23  health  care  provider  to  receive  payment  for  services 

24  delivered,  the  health  care  provider  may  require  the 
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1  individual  to  pay  from  their  own  funds  for  the  serv- 

2  ices. 

3  (3)  Right  of  health  care  provider  to  re- 

4  quire   authorization   for   treatment  pur- 

5  POSES. — If  a  health  care  pro\dder  that  is  seeking  an 

6  authorization  for  disclosure  of  an  individual's  pro- 

7  tected  health  information  believes  that  the  disclosure 

8  of  such  information  is  necessary  so  as  not  to  endan- 

9  ger  the  health  or  treatment  of  the  individual,  the 

10  health  care  provider  may  condition  the  provision  of 

11  services  upon  the  execution  of  the  authorization  by 

12  the  individual. 

13  (d)  Model  Authorizations. — The  Secretary,  in 

14  consultation  with  the  Director  of  the  Office  of  Health  In- 

15  formation  Privacy,  after  notice  and  opportunity  for  public 

16  comment,  shall  develop  and  disseminate  model  written  au- 

17  thorizations  of  the  type  described  in  this  section  and  model 

18  statements  of  the  Hmitations  on  authorizations.  Any  au- 

19  thorization  obtained  on  a  model  authorization  form  under 

20  section  202  developed  by  the  Secretary  pursuant  to  the 

21  preceding  sentence  shall  be  deemed  to  satisfy  the  require- 

22  ments  of  this  section. 

23  (e)  Segregation  of  Files. — ^A  person  described  in 

24  subsection  (a)(1)  shall  comply,  to  the  maximum  extent 
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1  practicable,  with  the  request  of  an  individual  who  is  the 

2  subject  of  protected  health  information — 

3  (1)  to  segregate  any  type  or  amount  of  pro- 

4  tected  health  information,  other  than  administrative 

5  billing  information,  held  by  the  entity;  and 

6  (2)  to  hmit  the  use  or  disclosure  of  the  seg- 

7  regated  health  information  within  the  entity  to  those 

8  persons  specifically  designated  by  the  subject  of  the 

9  protected  health  information. 

10  (f)  Revocation  of  Authorization. — 

11  (1)  In  general. — ^An  individual  may  in  writing 

12  revoke  or  amend  an  authorization  under  this  section 

13  at  any  time,  unless  the  disclosure  that  is  the  subject 

14  of  the  authorization  is  required  to  effectuate  pay- 

15  ment  for  health  care  that  has  been  provided  to  the 

16  individual. 

17  (2)  Health  plans. — ^With  respect  to  a  health 

18  plan,  the  authorization  of  an  individual  is  deemed  to 

19  be  revoked  at  the  time  of  the  cancellation  or  non-re- 

20  newal  of  enrollment  in  the  health  plan,  except  as 

21  may  be  necessary  to  complete  plan  administration 

22  and  payment  requirements  related  to  the  individual's 

23  period  of  enrollment. 
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1  (3)  Actions. — ^An  individual  may  not  maintain 

2  an  action  against  a  person  for  disclosure  of  person- 

3  ally  identifiable  health  information — 

4  (A)  if  the  disclosure  was  made  based  on  a 

5  good  faith  reliance  on  the  individual's  author- 

6  ization  under  this  section  at  the  time  disclosure 

7  was  made; 

8  (B)  in  a  case  in  which  the  authorization  is 

9  revoked,  if  the  disclosing  person  had  no  actual 

10  or  constructive  notice  of  the  revocation;  or 

11  (C)  if  the  disclosure  was  for  the  purpose  of 

12  protecting  another  individual  from  imminent 

13  physical  harm,  and  is  authorized  under  section 

14  204. 

15  (g)  Record  of  Individual's  Authorizations  and 


16  Revocations. — Each  person  collecting  or  storing  person- 

17  ally  identifiable  health  information  shall  maintain  a  record 

18  for  a  period  of  7  years  of  each  authorization  of  an  individ- 

19  ual  and  any  revocation  thereof,  and  such  record  shall  be- 

20  come  part  of  the  personally  identifiable  health  information 

21  concerning  such  individual. 

22  (h)  Rule  of  Construction. — ^Authorizations  for 

23  the  disclosure  of  protected  health  information  for  treat- 

24  ment  or  pa3niient  shall  not  authorize  the  disclosure  of  such 

25  information  by  an  individual  with  the  intent  to  sell,  trans- 
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1  fer,  or  use  protected  health  information  for  commercial  ad- 

2  vantage  other  than  the  revenues  directly  derived  from  the 

3  provision  of  health  care  to  that  individual.  For  such  disclo- 

4  sures,  a  separate  authorization  that  satisfies  the  require- 

5  ments  of  section  203  is  required. 

6  SEC.  203.  AUTHORIZATIONS  FOR  DISCLOSURE  OF  PRO- 

7  TECTED  HEALTH  INFORMATION  OTHER  THAN 

8  FOR  TREATMENT  OR  PAYMENT. 

9  (a)  In  General. — To  satisfy  the  requirement  under 

10  section  201(a)(1),  a  health  care  provider,  health  plan, 

1 1  health  oversight  agency,  public  health  authority,  employer, 

12  health  researcher,  law  enforcement  official,  health  or  life 

13  insurer,  school,  or  university  that  seeks  to  disclose  pro- 

14  tected  health  information  for  a  purpose  other  than  treat- 

15  ment  or  payment  may  obtain  an  authorization  that  satis- 

16  files  the  requirements  of  subsections  (b)  and  (g)  of  section 

17  202.  Such  an  authorization  under  this  section  shall  be  sep- 

18  arate  from  an  authorization  provided  under  section  202. 

19  (b)  Limitation  on  Authorizations. — 

20  (1)  In  GENERAL. — person  subject  to  section 

21  202  may  not  condition  the  delivery  of  treatment,  or 

22  payment  for  services,  on  the  receipt  of  an  authoriza- 

23  tion  described  in  this  section. 

24  (2)  Requirement  for  separate  authoriza- 

25  TION. — person  subject  to  section  202  may  not  dis- 
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1  close  protected  health  information  to  any  employees 

2  or  agents  who  are  responsible  for  making  employ- 

3  ment,  work  assignment,  or  other  personnel  decisions 

4  with  respect  to  the  subject  of  the  information  with- 

5  out  a  separate  authorization  permitting  such  a  dis- 

6  closure. 

7  (c)  Model  Authorizations. — The  Secretary,  in 

8  consultation  with  the  Director  of  the  Office  of  Health  In- 

9  formation  Privacy,  after  notice  and  opportunity  for  public 

10  comment,  shall  develop  and  disseminate  model  written  au- 

11  thorizations  of  the  type  described  in  subsection  (a).  Any 

12  authorization  obtained  on  a  model  authorization  form 

13  under  this  section  developed  by  the  Secretary  shall  be 

14  deemed  to  meet  the  authorization  requirements  of  this  sec- 

15  tion. 

16  (d)    Requirement    To    Release  Protected 

17  Health  Information  to  Coroners  and  Medical  Ex- 

18  aminers. — 

19  (1)  In  general. — ^When  a  Coroner  or  Medical 

20  Examiner  or  their  duly  appointed  deputies  seek  pro- 

21  tected  health  information  for  the  purpose  of  inquiry 

22  into  and  determination  of,  the  cause,  manner,  and 

23  circumstances  of  an  individual's  death,  the  health 

24  care  provider,  health  plan,  health  oversight  agency, 

25  pubHc  health  authority,  employer,  health  researcher, 
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1  law  enforcement  officer,  health  or  life  insurer,  school 

2  or  university  involved  shall  provide  that  individual's 

3  protected  health  information  to  the  Coroner  or  Medi- 

4  cal  Examiner  or  to  the  duly  appointed  deputies  with- 

5  out  undue  delay. 

6  (2)  Production  op  additional  informa- 

7  TION. — If  a  Coroner  or  Medical  Examiner  or  their 

8  duly  appointed  deputies  receives  health  information 

9  from  an  entity  referred  to  in  paragraph  (1),  such 

10  health  information  shall  remain  as  protected  health 

11  information  unless  the  health  information  is  at- 

12  tached  to  or  otherwise  made  a  part  of  a  Coroner's 

13  or  Medical  Examiner's  official  report,  in  which  case 

14  it  shall  no  longer  be  protected. 

15  (3)  Exemption. — Health  information  attached 

16  to  or  otherwise  made  a  part  of  a  Coroner's  or  Medi- 

17  cal  Examiner's  official  report,  shall  be  exempt  from 

18  the  provisions  of  this  Act  except  as  provided  for  in 

19  this  subsection.  . 

20  (4)  Reimbursement. — Coroner  or  Medical 

21  Examiner  may  require  a  person  to  reimburse  their 

22  Office  for  the  reasonable  costs  associated  with  such 

23  inspection  or  copying. 
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1  (e)  Revocation  or  Amendment  of  Authoriza- 

2  TION. — ^An  individual  may,  in  writing,  revoke  or  amend  an 

3  authorization  under  this  section  at  any  time. 

4  (f)  Actions. — ^An  individual  may  not  maintain  an  ac- 

5  tion  against  a  person  for  disclosure  of  protected  health 

6  information — 

7  (1)  if  the  disclosure  was  made  based  on  a  good 

8  faith  reliance  on  the  individual's  authorization  under 

9  this  section  at  the  time  disclosure  was  made; 

10  (2)  in  a  case  in  which  the  authorization  is  re- 

1 1  voked,  if  the  disclosing  person  had  no  actual  or  con- 

12  structive  notice  of  the  revocation;  or 

13  (3)  if  the  disclosure  was  for  the  purpose  of  pro- 

14  tecting  another  individual  from  imminent  physical 

15  harm,  and  is  authorized  under  section  204. 

1 6  SEC.  204.  EMERGENCY  CIRCUMSTANCES. 

17  (a)  Geneiial  Rule. — In  the  event  of  a  threat  of  im- 

18  minent  physical  or  mental  harm  to  the  subject  of  protected 

19  health  information,  any  person  may,  in  order  to  allay  or 

20  remedy  such  threat,  disclose  protected  health  information 

21  about  such  subject  to  a  health  care  practitioner,  health 

22  care  facility,  law  enforcement  authority,  or  emergency 

23  medical  personnel. 
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1  (b)  Harm  to  Others. — Any  person  may  disclose 

2  protected  health  information  about  the  subject  of  the  in- 

3  formation  where — 

4  (1)  such  subject  has  made  an  identifiable  threat 

5  of  serious  injury  or  death  with  respect  to  an  identifi- 

6  able  individual  or  ^oup  of  individuals; 

7  (2)  the  subject  has  the  ability  to  carry  out  such 

8  threat;  and 

9  (3)  the  release  of  such  information  is  necessary 

10  to  prevent  or  significantly  reduce  the  possibility  of 

1 1  such  threat  being  carried  out. 

12  SEC.  205.  PUBLIC  HEALTH. 

13  (a)  In  General. — health  care  provider,  health 


14  plan,  public  health  authority,  employer,  health  or  life  in- 

15  surer,  law  enforcement  official,  school,  or  university  may 

16  disclose  protected  health  information  to  a  public  health  au- 

17  thority  or  other  person  authorized  by  pubhc  health  law 

1 8  when  receipt  of  such  information  by  the  authority  or  other 

19  person — 


20  (1)  relates  directly  to  a  specified  pubhc  health 

21  purpose; 

22  (2)  is  reasonably  likely  to  achieve  such  purpose; 

23  and 
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1  (3)  is  intended  for  a  purpose  that  cannot  be 

2  achieved  through  the  receipt  or  use  of  de-identified 

3  health  information. 

4  (b)  Public  Health  Purpose  Defined. — For  pur- 


5  poses  of  subsection  (a),  the  term  "public  health  purpose" 

6  means  a  population-based  activity  or  individual  effort,  au- 

7  thorized  by  law,  aimed  at  the  prevention  of  injury,  disease, 

8  or  premature  mortality,  or  the  promotion  of  health,  in  a 

9  community,  including — 


10  (1)  assessing  the  health  needs  and  status  of  the 

11  community  through  public  health  surveillance  and 

12  epidemiological  research; 

13  (2)  developing  public  health  pohcy; 

14  (3)  responding  to  public  health  needs  and  emer- 

15  gencies;  and 

16  (4)  any  other  activities  or  efforts  authorized  by 

17  law. 

1 8  SEC.  206.  PROTECTION  AND  ADVOCACY  AGENCIES. 

19  Any  person  who  creates  protected  health  information 


20  or  receives  protected  health  information  under  this  title 

21  may  disclose  that  information  to  a  protection  and  advo- 

22  cacy  agency  established  under  part  C  of  title  I  of  the  De- 

23  velopmental  Disabilities  Assistance  and  Bill  of  Rights  Act 

24  (42  U.S.C.  6041  et  seq.)  or  under  the  Protection  and  Ad- 

25  vocacy  for  Mentally  111  Individuals  Act  of  1986  (42  U.S.C. 
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1  10801  et  seq.)  when  such  agency  can  estabhsh  that  there 

2  is  probable  cause  to  believe  that  an  individual  who  is  the 

3  subject  of  the  protected  health  information  is  vulnerable 

4  to  abuse  and  neglect  by  an  entity  providing  health  or  social 

5  services  to  the  individual. 

6  SEC.  207.  OVERSIGHT. 

7  (a)  In  General. — health  care  provider,  health 

8  plan,  employer,  law  enforcement  official,  health  or  life  in- 

9  surer,  public  health  authority,  health  researcher,  school  or 

10  university  may  disclose  protected  health  information  to  a 

11  health  oversight  agency  to  enable  the  agency  to  perform 

12  a  health  oversight  function  authorized  by  law,  if — 

13  (1)  the  purpose  for  which  the  disclosure  is  to  be 

14  made  cannot  reasonably  be  accomplished  without 

15  protected  health  information; 

16  (2)  the  purpose  for  which  the  disclosure  is  to  be 

17  made  is  of  sufficient  importance  to  warrant  the  ef- 

18  feet  on,  or  the  risk  to,  the  privacy  of  the  individuals 

19  that  additional  exposure  of  the  information  might 

20  bring;  and 

21  (3)  there  is  a  reasonable  probability  that  the 

22  purpose  of  the  disclosure  will  be  accomplished. 

23  (b)   Use   and   Maintenance   of  Protected 

24  Health  Information. — health  oversight  agency  that 

25  receives  protected  health  information  under  this  section — 
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1  (1)  shall  rely  upon  a  method  to  scramble  or 

2  otherwise  safeguard,  to  the  maximum  extent  prae- 

3  ticable,  the  identity  of  the  subject  of  the  protected 

4  health  information  in  all  work  papers  and  all  docu- 

5  ments  summarizing  the  health  oversight  activity; 

6  (2)  shall  maintain  in  its  records  only  such  infor- 

7  mation  about  an  individual  as  is  relevant  and  nec- 

8  essary  to  accomplish  the  purpose  for  which  the  pro- 

9  tected  health  information  was  obtained; 

10  (3)  shall  maintain  such  information  securely 

11  and  limit  access  to  such  information  to  those  per- 

12  sons  with  a  legitimate  need  for  access  to  carry  out 

13  the  purpose  for  which  the  records  were  obtained; 

14  and 

15  (4)  shall  remove  or  destroy  the  information  that 

16  allows  subjects  of  protected  health  information  to  be 

17  identified  at  the  earliest  time  at  which  removal  or 

18  destruction  can  be  accomplished,  consistent  with  the 

19  purpose  of  the  health  oversight  activity. 

20  (c)  Use  of  Protected  Health  Information  in 

21  Judicial  Proceedings. — 

22  (1)  In  general. —  The  disclosure  and  use  of 

23  protected  health  information  in  any  judicial,  admin- 

24  istrative,  court,  or  other  public,  proceeding  or  inves- 

25  tigation  relating  to  a  health  oversight  activity  shall 
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1  be  undertaken  in  such  a  manner  as  to  preserve  the 

2  confidentiahty  and  privacy  of  individuals  who  are  the 

3  subject  of  the  information,  unless  disclosure  is  re- 

4  quired  by  the  nature  of  the  proceedings. 

5  (2)  Limiting  disclosure. — ^Whenever  disclo- 

6  sure  of  the  identity  of  the  subject  of  protected  health 

7  information  is  required  by  the  nature  of  the  proceed- 

8  ings,  or  it  is  impracticable  to  redact  the  identity  of 

9  such  individual,  the  agency  shall  request  that  the 

10  presiding  judicial  or  administrative  officer  enter  an 

11  order  limiting  the  disclosure  of  the  identity  of  the 

12  subject  to  the  extent  possible,  including  the  redact- 

13  ing  of  the  protected  health  information  from  publicly 

14  disclosed  or  filed  pleadings  or  records. 

15  (d)  Authorization  by  a  Supervisor. — For  pur- 

16  poses  of  this  section,  the  individual  with  authority  to  au- 

17  thorize  the  oversight  function  involved  shall  provide  to  the 

18  disclosing  person  described  in  subsection  (a)  a  statement 

19  that  the  protected  health  information  is  being  sought  for 

20  a  legally  authorized  oversight  function. 

21  (e)  Use  in  Action  Against  Individuals. — Pro- 

22  tected  health  information  about  an  individual  that  is  dis- 

23  closed  under  this  section  may  not  be  used  in,  or  disclosed 

24  to  any  person  for  use  in,  an  administrative,  civil,  or  crimi- 

25  nal  action  or  investigation  directed  against  the  individual, 
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1  unless  the  action  or  investigation  arises  out  of  and  is  di- 

2  rectly  related  to — 

3  (1)  the  receipt  of  health  care  or  payment  for 

4  health  care; 

5  (2)  a  fraudulent  claim  related  to  health;  or 

6  (3)  oversight  of  a  public  health  authority  or  a 

7  health  researcher. 

8  SEC.  208.  DISCLOSURE  FOR  LAW  ENFORCEMENT  PUR- 

9  POSES. 

10  (a)  Law  Enforcement  Access  to  Protected 

11  Health  Information. — health  care  provider,  health 

12  researcher,  health  plan,  health  oversight  agency,  employer, 

13  health  or  life  insurer,  school,  university,  a  person  acting 

14  as  the  agent  of  any  such  person,  or  a  person  who  receives 

15  protected  health  information  pursuant  to  section  204,  may 

16  disclose  protected  health  information  to  an  investigative 

17  or  law  enforcement  officer  pursuant  to  a  warrant  issued 

18  under  the  Federal  Rules  of  Criminal  Procedure,  an  equiva- 

19  lent  State  warrant,  a  grand  jury  subpoena,  or  a  court 

20  order  under  hmitations  set  forth  in  subsection  (b). 

21  (b)  Requirements  for  Court  Orders  for  Ac- 

22  CESS  TO  Protected  Health  Information. — ^A  court 

23  order  for  the  disclosure  of  protected  health  information 

24  under  subsection  (a)  may  be  issued  by  any  court  that  is 

25  a  court  of  competent  jurisdiction  and  shall  issue  only  if 
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1  the  investigative  or  law  enforcement  officer  submits  a  writ- 

2  ten  application  upon  oath  or  equivalent  affirmation  dem- 

3  onstrating  that  there  is  probable  cause  to  beUeve  that — 

4  (1)  the  protected  health  information  sought  is 

5  relevant  and  material  to  an  ongoing  criminal  inves- 

6  tigation,  except  in  the  case  of  a  State  government 

7  authority,  such  a  court  order  shall  not  issue  if  pro- 

8  hibited  by  the  law  of  such  State; 

9  (2)  the  investigative  or  evidentiary  needs  of  the 

10  investigative  or  law  enforcement  officer  cannot  rea- 

11  sonably  be  satisfied  by  de-identified  health  informa- 

12  tion  or  by  any  other  information;  and 

13  (3)  the  law  enforcement  need  for  the  informa- 

14  tion  outweighs  the  privacy  interest  of  the  individual 

15  to  whom  the  information  pertains. 

16  (c)  Motions  To  Quash  or  Modify. — court 

17  issuing  an  order  pursuant  to  this  section,  on  a  motion 

18  made  promptly  by  the  health  care  provider,  health  re- 

19  searcher,  health  plan,  health  oversight  agency,  employer, 

20  health  or  life  insurer,  school,  university,  a  person  acting 

21  as  the  agent  of  any  such  person,  or  a  person  who  receives 

22  protected  health  information  pursuant  to  section  204,  may 

23  quash  or  modify  such  order  if  the  court  finds  that  informa- 

24  tion  or  records  requested  are  unreasonably  voluminous  or 


>S  573  IS 


47 

1  if  compliance  with  such  order  otherwise  would  cause  an 

2  unreasonable  burden  on  such  persons. 

3  (d)  Notice. — 

4  (1)  In  general. — Except  as  provided  in  para- 

5  graph  (2),  no  order  for  the  disclosure  of  protected 

6  health  information  about  an  individual  may  be 

7  issued  by  a  court  under  this  section  unless  prior  no- 

8  tice  of  the  apphcation  for  the  order  has  been  served 

9  on  the  individual  and  the  individual  has  been  af- 

10  forded  an  opportunity  to  oppose  the  issuance  of  the 

1 1  order. 

12  (2)  Notice  not  required. — ^An  order  for  the 

13  disclosure  of  protected  health  information  about  an 

14  individual  may  be  issued  without  prior  notice  to  the 

15  individual  if  the  court  finds  that  notice  would  be  im- 

16  practical  because — 

17  (A)  the  name  and  address  of  the  individual 

18  are  unknown;  or 

19  (B)  notice  would  risk  destruction  or  un- 

20  availability  of  the  evidence. 

21  (e)  Conditions. — Upon  the  granting  of  an  order  for 

22  disclosure  of  protected  health  information  under  this  sec- 

23  tion,  the  court  shall  impose  appropriate  safeguards  to  en- 

24  sure  the  confidentiality  of  such  information  and  to  protect 

25  against  unauthorized  or  improper  use  or  disclosure. 
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1  (f)  Limitation  on  Use  and  Disclosure  for 

2  Other    Law    Enforcement    Inquiries. — Protected 

3  health  information  about  an  individual  that  is  disclosed 

4  under  this  section  may  not  be  used  in,  or  disclosed  to  any 

5  person  for  use  in,  any  administrative,  civil,  or  criminal  ac- 

6  tion  or  investigation  directed  against  the  individual,  unless 

7  the  action  or  investigation  arises  out  of,  or  is  directly  re- 

8  lated  to,  the  law  enforcement  inquiry  for  which  the  infor- 

9  mation  was  obtained. 

10  (g)  Destruction  or  Return  of  Information. — 

1 1  When  the  matter  or  need  for  which  protected  health  infor- 

12  mation  was  disclosed  to  an  investigative  or  law  enforce- 

13  ment  officer  or  grand  jury  has  concluded,  including  any 

1 4  derivative  matters  arising  from  such  matter  or  need,  the 

15  law  enforcement  agency  or  grand  jury  shall  either  destroy 

16  the  protected  health  information,  or  return  it  to  the  person 

17  from  whom  it  was  obtained. 

18  (h)  Redactions. — To  the  extent  practicable,  and 

19  consistent  with  the  requirements  of  due  process,  a  law  en- 

20  forcement  agency  shall  redact  personally  identifying  infor- 

21  mation  from  protected  health  information  prior  to  the 

22  public  disclosure  of  such  protected  information  in  a  judi- 

23  cial  or  administrative  proceeding. 

24  (i)  Exception. — This  section  shall  not  be  construed 

25  to  limit  or  restrict  the  ability  of  law  enforcement  authori- 
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1  ties  to  gain  information  while  in  hot  pursuit  of  a  suspect 

2  or  if  other  exigent  circumstances  exist. 

3  SEC.  209.  NEXT  OF  KIN  AND  DIRECTORY  INFORMATION. 

4  (a)  Next  of  Kin. — health  care  provider,  or  a  per- 

5  son  who  receives  protected  health  information  under  sec- 

6  tion  204,  may  disclose  protected  health  information  about 

7  health  care  services  provided  to  an  individual  to  the  indi- 

8  vidual's  next  of  kin,  or  to  another  person  whom  the  indi- 

9  vidual  has  identified,  if  at  the  time  of  the  treatment  of 
10  the  individual — 


11  (1)  the  individual — 

12  (A)  has  been  notified  of  the  individual's 

13  right  to  object  to  such  disclosure  and  the  indi- 

14  vidual  has  not  objected  to  the  disclosure;  or 

15  (B)  is  in  a  physical  or  mental  condition 

16  such  that  the  individual  is  not  capable  of  object- 

17  ing,  and  there  are  no  prior  indications  that  the 

18  individual  would  object;  and 

19  (2)  the  information  disclosed  relates  to  health 

20  care  services  currently  being  provided  to  that  indi- 

21  vidual. 

22  (b)  Directory  Information. — 

23  (1)  Disclosure. — 

24  (A)  In  general. — Except  as  provided  in 

25  paragraph  (2),  with  respect  an  individual  who  is 
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1  admitted  as  an  inpatient  to  a  health  care  facil- 

2  ity,  a  person  described  in  subsection  (a)  may 

3  disclose  information  described  in  subpara^aph 

4  (B)  about  the  individual  to  any  person  if,  at  the 

5  time  of  the  admission,  the  individual — 

6  (i)  has  been  notified  of  the  individ- 

7  ual's  right  to  object  and  has  not  objected 

8  to  the  disclosure;  or 

9  (ii)  is  in  a  physical  or  mental  condi- 

10  tion  such  that  the  individual  is  not  capable 

11  of  objecting  and  there  are  no  prior  indica- 

12  tions  that  the  individual  would  object. 

13  (B)  Information. — ^Information  described 

14  in  this  subparagraph  is  information  that  con- 

15  sists  only  of  1  or  more  of  the  following  items: 

16  (i)  The  name  of  the  individual  who  is 

17  the  subject  of  the  information. 

18  (ii)  The  general  health  status  of  the 

19  individual,  described  as  critical,  poor,  fair, 

20  stable,  or  satisfactory  or  in  terms  denoting 

21  similar  conditions. 

22  (iii)  The  location  of  the  individual 

23  within  the  health  care  facility  to  which  the 

24  individual  is  admitted. 
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1  (2)  Exception. — ^Para^aph  (l)(B)(iii)  shall 

2  not  apply  if  disclosure  of  the  location  of  the  individ- 

3  ual  would  reveal  specific  information  about  the  phys- 

4  ical  or  mental  condition  of  the  individual,  unless  the 

5  individual  expressly  authorizes  such  disclosure. 

6  (c)  Directory  or  Next-of-Kin  Information. — 

7  disclosure  may  not  be  made  under  this  section  if  the  dis- 

8  closing  person  described  in  subsection  (a)  has  reason  to 

9  believe  that  the  disclosure  of  directory  or  next-of-kin  infor- 

10  mation  could  lead  to  the  physical  or  mental  harm  of  the 

1 1  individual,  unless  the  individual  expressly  authorizes  such 

12  disclosure, 

13  SEC.  210.  HEALTH  RESEARCH. 

14  (a)  Regulations. — 

15  (1)  In  general. — The  requirements  and  pro- 

16  tections  provided  for  under  part  46  of  title  45,  Code 

17  of  Federal  Regulations  (as  in  effect  on  the  date  of 

18  enactment  of  this  Act),  shall  apply  to  all  health  re- 

19  search. 

20  (2)  Effective  date. — Paragraph  (1)  shall  not 

21  take  effect  until  the  Secretary  has  promulgated  final 

22  regulations  to  implement  such  paragraph. 

23  (b)  Evaluation. — Not  later  than  24  months  after 

24  the  date  of  enactment  of  this  Act,  the  Secretary  shall  pre- 

25  pare  and  submit  to  Congress  detailed  recommendations  on 
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1  whether  written  informed  consent  should  be  required,  and 

2  if  so,  under  what  circumstances,  before  protected  health 

3  information  can  be  used  for  health  research. 


4  (c)  Recommendations. — The  recommendations  re- 

5  quired   to   be   submitted   under  subsection   (b)  shall 

6  include — 

7  (1)  a  detailed  explanation  of  current  institu- 

8  tional  review  board  practices,  including  the  extent  to 

9  which  the  privacy  of  individuals  is  taken  into  ac- 

10  count  as  a  factor  before  allowing  waivers  and  under 

11  what   circumstances    informed    consent   is  being 

12  waived; 

13  (2)  a  summary  of  how  technology  could  be  used 

14  to  strip  identifying  data  for  the  purposes  of  re- 

15  search; 

16  (3)  an  analysis  of  the  risks  and  benefits  of  re- 

17  quiring  informed  consent  versus  the  waiver  of  in- 

18  formed  consent; 

19  (4)  an  analysis  of  the  risks  and  benefits  of 

20  using  protected  health  information  for  research  pur- 

21  poses  other  than  the  health  research  project  for 

22  which  such  information  was  obtained;  and 

23  (5)  an  analysis  of  the  risks  and  benefits  of  al- 

24  lowing  individuals  to  consent  or  to  refuse  to  consent, 

25  at  the  time  of  receiving  medical  treatment,  to  the 
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1  possible  future  use  of  records  of  medical  treatments 

2  for  research  studies. 

3  (d)  Consultation. — In  carrying"  out  this  section, 

4  the  Secretary  shall  consult  with  individuals  who  have  dis- 

5  tinguished  themselves  in  the  fields  of  health  research,  pri- 

6  vacy,  related  technology,  consumer  interests  in  health  in- 

7  formation,  health  data  standards,  and  the  provision  of 

8  health  services. 

9  (e)  Congressional  Notice. — Not  later  than  6 

10  months  after  the  date  on  which  the  Secretary  submits  to 

1 1  Congress  the  recommendations  required  under  subsection 

12  (b),  the  Secretary  shall  propose  to  implement  such  rec- 

13  ommendations  through  reflations  promulgated  on  the 

14  record  after  opportunity  for  a  hearing,  and  shall  advise 

15  the  Confess  of  such  proposal. 

16  (f)  Other  Requirements. — 

17  (1)  Obligations  of  the  recipient. — per- 

18  son  who  receives  protected  health  information  pursu- 

19  ant  to  this  section  shall  remove  or  destroy,  at  the  - 

20  earliest  opportunity  consistent  with  the  purposes  of 

21  the  project  involved,  information  that  would  enable 

22  an  individual  to  be  identified,  unless — 

23  (A)  an  institutional  review  board  has  de- 

24  termined  that  there  is  a  health  or  research  jus- 
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1  tifieation  for  the  retention  of  such  identifiers; 

2  and 

3  (B)  there  is  an  adequate  plan  to  protect 

4  the  identifiers  from  disclosure  consistent  with 

5  this  section;  and 

6  (2)  Periodic  review  and  technical  assist- 

7  ANCE. — 

8  (A)  Institutional  review  board. — Any 

9  institutional  review  board  that  authorizes  re- 

10  search  under  this  section  shall  provide  the  Sec- 

1 1  retary  with  the  names  and  addresses  of  the  in- 

12  stitutional  review  board  members. 

13  (B)  Technical  assistance. — The  Sec- 

14  retary  may  provide  technical  assistance  to  insti- 

15  tutional  review  boards  described  in  this  sub- 

16  section. 

17  (C)  Monitoring. — The  Secretary  shall  pe- 

18  riodically  monitor  institutional  review  boards 

19  described  in  this  subsection. 

20  (D)  Reports. — Not  later  than  3  years 

21  after  the  date  of  enactment  of  this  Act,  the  Sec- 

22  retary  shall  report  to  Congress  regarding  the 

23  activities  of  institutional  review  boards  de- 

24  scribed  in  this  subsection. 
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1  (g)  Limitation. — Nothing  in  this  section  shall  be 

2  constraed  to  permit  protected  health  information  that  is 

3  received  by  a  researcher  under  this  section  to  be  accessed 

4  for  purposes  other  than  research  or  as  authorized  by  the 

5  individual. 

6  SEC.  211.  JUDICIAL  AND  ADMINISTRATIVE  PURPOSES. 

7  (a)  In  General. — health  care  provider,  health 

8  plan,  health  oversight  agency,  employer,  insurer,  health  or 

9  life  insurer,  school  or  university,  a  person  acting  as  the 

10  agent  of  any  such  person,  or  a  person  who  receives  pro- 

11  tected  health  information  under  section  204,  may  disclose 

12  protected  health  information — 

13  (1)  pursuant  to  the  standards  and  procedures 

14  established  in  the  Federal  Rules  of  Civil  Procedure 

15  or  comparable  rules  of  other  courts  or  administrative 

16  agencies,  in  connection  with  litigation  or  proceedings 

17  to  which  an  individual  who  is  the  subject  of  the  in- 

18  formation  is  a  party  and  in  which  the  individual  has 

19  placed  his  or  her  physical  or  mental  condition  at 

20  issue; 

21  (2)  to  a  court,  and  to  others  ordered  by  the 

22  court,  if  in  response  to  a  court  order  issued  by  a 

23  court  of  competent  jurisdiction  in  accordance  with 

24  subsections  (b)  and  (c);  or 
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1  (3)  if  necessary  to  present  to  a  court  an  appli- 

2  cation  regarding  the  provision  of  treatment  of  an  in- 

3  dividual  or  the  appointment  of  a  guardian. 

4  (b)  Court  Orders  for  Access  to  Protected 


5  HeaIjTH  Information. — court  order  for  the  disclosure 

6  of  protected  health  information  under  subsection  (a)  may 

7  be  issued  only  if  the  person  seeking  disclosure  submits  a 

8  written  application  upon  oath  or  equivalent  affirmation 

9  demonstrating  by  clear  and  convincing  evidence  that — 


10  (1)  the  protected  health  information  sought  is 

11  necessary  for  the  adjudication  of  a  material  fact  in 

12  dispute  in  a  civil  proceeding; 

13  (2)  the  adjudicative  need  cannot  be  reasonably 

14  satisfied  by  de-identified  health  information  or  by 

15  any  other  information;  and 

16  (3)  the  need  for  the  information  outweighs  the 

17  privacy  interest  of  the  individual  to  whom  the  infor- 

18  mation  pertains. 

19  (c)  Notice. — 

20  (1)  In  general. — Except  as  provided  in  para- 

21  graph  (2),  no  order  for  the  disclosure  of  protected 

22  health  information  about  an  individual  may  be 

23  issued  by  a  court  unless  notice  of  the  application  for 

24  the  order  has  been  served  on  the  individual  and  the 
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1  individual  has  been  afforded  an  opportunity  to  op- 

2  pose  the  issuance  of  the  order. 

3  (2)  Notice  not  required. — ^An  order  for  the 

4  disclosure  of  protected  health  information  about  an 

5  individual  may  be  issued  without  notice  to  the  indi- 

6  vidual  if  the  court  finds,  by  clear  and  convincing  evi- 

7  dence,  that  notice  would  be  impractical  because — 

8  (A)  the  name  and  address  of  the  individual 

9  are  unknown;  or 

10  (B)  notice  would  risk  destruction  or  un- 

1 1  availability  of  the  evidence. 

12  (d)  Obligations  of  Recipient. — person  seeking 

13  protected  health  information  pursuant  to  subsection 

14  (a)(1)— 

15  (1)  shall  notify  the  individual  or  the  individual's 

16  attorney  of  the  request  for  the  information; 

17  (2)   shall  provide  the  health  care  provider, 

18  health  plan,  health  oversight  agency,  employer,  in- 

19  surer,  health  or  life  insurer,  school  or  university, 

20  agent,  or  other  person  involved  with  a  signed  docu- 

21  ment  attesting — 

22  (A)  that  the  individual  has  placed  his  or 

23  her  physical  or  mental  condition  at  issue  in  liti- 

24  gation  or  proceedings  in  which  the  individual  is 

25  a  party;  and 


•S  573  IS 


58 

1  (B)  the  date  on  which  the  individual  or  the 

2  individual's  attorney  was  notified  under  para- 

3  graph  (1);  and 

4  (3)  shall  not  accept  any  requested  protected 

5  health  information  from  the  health  care  provider, 

6  health  plan,  health  oversight  agency,  employer,  in- 

7  surer,  health  or  life  insurer,  school  or  university, 

8  agent,  or  person  until  the  termination  of  the  10-day 

9  period  beginning  on  the  date  notice  was  given  under 

10  paragraph  (1). 

1 1  SEC.  212.  INDIVroUAL  REPRESENTATIVES. 

12  (a)  In  General. — Except  as  provided  in  subsections 

13  (b)  and  (c),  a  person  who  is  authorized  by  law  (based  on 

14  grounds  other  than  an  individual's  status  as  a  minor),  or 

15  by  an  instrument  recognized  under  law,  to  act  as  an  agent, 

16  attorney,  proxy,  or  other  legal  representative  of  a  individ- 

17  ual,  may,  to  the  extent  so  authorized,  exercise  and  dis- 

18  charge  the  rights  of  the  individual  under  this  Act. 

19  (b)  Health  Care  Power  of  Attorney. — ^A  person 

20  who  is  authorized  by  law  (based  on  grounds  other  than 

21  being  a  minor),  or  by  an  instrument  recognized  under  law, 

22  to  make  decisions  about  the  provision  of  health  care  to 

23  an  individual  who  is  incapacitated,  may  exercise  and  dis- 

24  charge  the  rights  of  the  individual  under  this  Act  to  the 
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1  extent  necessary  to  effectuate  the  terms  or  purposes  of 

2  the  grant  of  authority. 

3  (c)  No  Court  Declaration. — If  a  physician  or 

4  other  health  care  provider  determines  that  an  individual, 

5  who  has  not  been  declared  to  be  legally  incompetent,  suf- 

6  fers  from  a  medical  condition  that  prevents  the  individual 

7  from  acting"  knowingly  or  effectively  on  the  individual's 

8  own  behalf,  the  right  of  the  individual  to  authorize  disclo- 

9  sure  under  this  Act  may  be  exercised  and  discharged  in 
10  the  best  interest  of  the  individual  by — 


11  (1)  a  person  described  in  subsection  (b)  with  re- 

12  spect  to  the  individual; 

13  (2)  a  person  described  in  subsection  (a)  with  re- 

14  spect  to  the  individual,  but  only  if  a  person  de- 

15  scribed  in  paragraph  (1)  cannot  be  contacted  after 

16  a  reasonable  effort; 

17  (3)  the  next  of  kin  of  the  individual,  but  only 

18  if  a  person  described  in  paragraph  (1)  or  (2)  cannot 

19  be  contacted  after  a  reasonable  effort;  or 

20  (4)  the  health  care  provider,  but  only  if  a  per- 

21  son  described  in  paragraph  (1),  (2),  or  (3)  cannot  be 

22  contacted  after  a  reasonable  effort. 

23  (d)  Rights  of  Minors. — 

24  (1)  Individuals  who  are  i8  or  legally  ca- 

25  PABLE. — In  the  case  of  an  individual — 
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1  (A)  who  is  18  years  of  age  or  older,  all 

2  rights  of  the  individual  under  this  Act  shall  be 

3  exercised  by  the  individual;  or 

4  (B)  who,  acting  alone,  can  obtain  a  type  of 

5  health  care  without  violating  any  applicable  law, 

6  and  who  has  sought  such  care,  the  individual 

7  shall  exercise  all  rights  of  an  individual  under 

8  this  Act  with  respect  to  protected  health  infor- 

9  mation  relating  to  such  health  care. 

10  (2)  INDIVIDUAI.S  UNDER  18. — Except  as  pro- 

11  vided  in  paragraph  (1)(B),  in  the  case  of  an  individ- 

12  ual  who  is — 

13  (A)  under  14  years  of  age,  all  of  the  indi- 

14  vidual's  rights  under  this  Act  shall  be  exercised 

15  through  the  parent  or  legal  guardian;  or 

16  (B)  14  through  17  years  of  age,  the  rights 

17  of  inspection  and  supplementation,  and  the 

18  right  to  authorize  use  and  disclosure  of  pro- 

19  tected  health  information  of  the  individual  shall 

20  be  exercised  by  the  individual,  or  by  the  parent 

21  or  legal  guardian  of  the  individual. 

22  (e)  Deceased  Individuals. — 

23  (1)  Application  of  act. — The  provisions  of 

24  this  Act  shall  continue  to  apply  to  protected  health 

25  information  concerning  a  deceased  individual. 
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1  (2)  Exercise  of  rights  on  behalf  of  a  de- 

2  ceased  individual. — person  who  is  authorized 

3  by  law  or  by  an  instrument  recognized  under  law,  to 

4  act  as  an  executor  of  the  estate  of  a  deceased  indi- 

5  vidual,  or  otherwise  to  exercise  the  rights  of  the  de- 

6  ceased  individual,  may,  to  the  extent  so  authorized, 

7  exercise  and  discharge  the  rights  of  such  deceased 

8  individual  under  this  Act.  If  no  such  designee  has 

9  been  authorized,  the  rights  of  the  deceased  individ- 

10  ual  may  be  exercised  as  provided  for  in  subsection 

11  (c). 

12  (3)  Identification  of  deceased  individ- 

13  UAL. — person  described  in  section  209(a)  may  dis- 

14  close  protected  health  information  if  such  disclosure 

15  is  necessary  to  assist  in  the  identification  of  a  de- 

16  ceased  individual. 

17  SEC.  213.  PROHffimON  AGAINST  RETALIATION. 

18  A  health  care  provider,  health  researcher,  health 

19  plan,  health  oversight  agency,  employer,  health  or  life  in- 

20  surer,  school  or  university,  person  acting  as  an  agent  of 

21  any  such  person,  or  person  who  receives  protected  health 

22  information  under  section  204  may  not  adversely  affect 

23  another  person,  directly  or  indirectly,  because  such  person 

24  has  exercised  a  right  under  this  Act,  disclosed  information 

25  relating  to  a  possible  violation  of  this  Act,  or  associated 
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1  with,  or  assisted,  a  person  in  the  exercise  of  a  right  under 

2  this  Act. 

3  TITLE  III— OFFICE  OF  HEALTH 

4  INFORMATION    PRIVACY  OF 

5  THE        DEPARTMENT  OF 

6  HEALTH  AND  HUMAN  SERV- 

7  ICES 

8  Subtitle  A — Designation 

9  SEC.  301.  DESIGNATION. 

10  (a)  In  General, — The  Secretary  shall  designate  an 

1 1  office  within  the  Department  of  Health  and  Human  Serv- 

12  ices  to  be  known  as  the  Office  of  Health  Information  Pri- 

13  vacy.  The  Office  shall  be  headed  by  a  Director,  who  shall 

14  be  appointed  by  the  Secretary. 

15  (b)  Duties.— The  Director  of  the  Office  of  Health 

16  Information  Privacy  shall — 

17  (1)  receive  and  investigate  complaints  of  alleged 

18  violations  of  this  Act; 

19  (2)  provide  for  the  conduct  of  audits  where  ap- 

20  propriate; 

21  (3)  provide  guidance  to  the  Secretary  in  the  im- 

22  plementation  of  this  Act; 

23  (4)  prepare  and  submit  the  report  described  in 

24  subsection  (c); 
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1  (5)  consult  with,  and  provide  recommendation 

2  to,  the  Secretary  concerning  improvements  in  the 

3  privacy  and  security  of  protected  health  information 

4  and  concerning  medical  privacy  research  needs;  and 

5  (6)  carry  out  any  other  activities  determined 

6  appropriate  by  the  Secretary. 

7  (c)  Report  on  Compliance. — Not  later  than  Janu- 

8  ary  1  of  the  first  calendar  year  beginning  more  than  1 

9  year  after  the  establishment  of  the  Office  under  subsection 

10  (a),  and  every  January  1  thereafter,  the  Secretary,  in  con- 

1 1  sultation  with  the  Director  of  the  Office  of  Health  Infor- 

12  mation  Privacy,  shall  prepare  and  submit  to  Congress  a 

13  report  concerning  the  number  of  complaints  of  alleged  vio- 

14  lations  of  this  Act  that  are  received  during  the  year  for 

15  which  the  report  is  being  prepared.  Such  report  shall  de- 

16  scribe  the  complaints  and  any  remedial  action  taken  con- 

17  corning  such  complaints. 

18  Subtitle  B — Enforcement 

19  CHAPTER  1— CRIMINAL  PROVISIONS 

20  SEC.    311.    WRONGFUL    DISCLOSURE    OF  PROTECTED 

21  HEALTH  INFORMATION. 

22  (a)  In  General. — Part  I  of  title  18,  United  States 

23  Code,  is  amended  by  adding  at  the  end  the  following: 
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1  "CHAPTER  124— WRONGFUL  DISCLOSURE 

2  OF  PROTECTED  HEALTH  INFORMATION 

"Sec. 

"2801.  Wroii^l  disclosure  of  protected  health  information. 

3  "§2801.  Wrongful  disclosure  of  protected  health  in- 


4  formation 

5  "(a)  Offense. — The  penalties  described  in  sub- 

6  section  (b)  shall  apply  to  a  person  that  knowingly  and 

7  intentionally — 

8  "(1)  obtains  or  attempts  to  obtain  protected 

9  health  information  relating  to  an  individual  in  viola- 

10  tion  of  title  II  of  the  Medical  Information  Privacy 

1 1  and  Security  Act;  or 

12  "(2)  discloses  or  attempts  to  disclose  protected 

13  health  information  to  another  person  in  violation  of 

14  title  II  of  the  Medical  Information  Privacy  and  Se- 

15  curity  Act. 

16  "(b)  Penalties. — ^A  person  described  in  subsection 

17  (a)  shall— 

18  "(1)  be  fined  not  more  than  $50,000,  impris- 

19  oned  not  more  than  1  year,  or  both; 

20  "(2)  if  the  offense  is  committed  under  false  pre- 

21  tenses,  be  fined  not  more  than  $250,000,  imprisoned 

22  not  more  than  5  years,  or  any  combination  of  such 

23  penalties;  or 
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1  "(3)  if  the  offense  is  committed  with  the  intent 

2  to  sell,  transfer,  or  use  protected  health  information 

3  for  commercial  advantage,  personal  gain,  or  mali- 

4  cious  harm,  be  fmed  not  more  than  $500,000,  im- 

5  prisoned  not  more  than  10  years,  excluded  from  par- 

6  ticipation  in  any  Federally  funded  health  care  pro- 

7  grams,  or  any  combination  of  such  penalties. 

8  ''(c)  Subsequent  Offenses. — In  the  case  of  a  per- 

9  son  described  in  subsection  (a),  the  maximum  penalties 

10  described  in  subsection  (b)  shall  be  doubled  for  every  sub- 

1 1  sequent  conviction  for  an  offense  arising  out  of  a  violation 

12  or  violations  related  to  a  set  of  circumstances  that  are  dif- 

13  ferent  from  those  involved  in  the  previous  violation  or  set 

14  of  related  violations  described  in  such  subsection  (a).". 

15  (b)  Clerical  Amendment. — The  table  of  chapters 

16  for  part  I  of  title  18,  United  States  Code,  is  amended  by 

17  inserting  after  the  item  relating  to  chapter  123  the  follow- 

18  ing  new  item: 

"124.  Wrongful  disclosure  of  protected  health  mformatiou    2801". 

1 9  SEC.  312.  DEBARMENT  FOR  CRIMES. 

20  (a)  Purpose. — The  purpose  of  this  section  is  to  pro- 

21  mote  the  prevention  and  deterrence  of  instances  of  inten- 

22  tional  criminal  actions  which  violate  criminal  laws  which 

23  are  designed  to  protect  the  privacy  of  protected  health  in- 

24  formation  in  a  manner  consistent  with  this  Act. 
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1  (b)  Debakment. — Not  later  than  270  days  after  the 

2  date  of  enactment  of  this  Act,  the  Attorney  General,  in 

3  consultation  with  the  Secretary,  shall  promulgate  regula- 

4  tions  and  estabhsh  procedures  to  permit  the  debarment 

5  of  health  care  providers,  health  researchers,  health  or  life 

6  insurers,  employers,  or  schools  or  universities  from  receiv- 

7  ing  benefits  under  any  Federal  health  programs  or  other 

8  Federal  procurement  program  if  the  managers  or  officers 

9  of  such  persons  are  found  guilty  of  violating  section  2801 

10  of  title  18,  United  States  Code,  have  civil  penalties  im- 

11  posed  against  such  officers  or  managers  under  section  321 

12  in  connection  with  the  illegal  disclosure  of  protected  health 

13  information,  or  are  found  guilty  of  making  a  false  state- 

14  ment  or  obstructing  justice  related  to  attempting  to  con- 

15  ceal  or  concealing  such  illegal  disclosure.  Such  regulations 

16  shall  take  into  account  the  need  for  continuity  of  medical 

17  care  and  may  provide  for  a  delay  of  any  debarment  im- 

18  posed  under  this  section  to  take  into  account  the  medical 

1 9  needs  of  patients. 

20  (c)  Consultation. — Before  publishing  a  proposed 

21  rule  to  implement  subsection  (b),  the  Attorney  General 

22  shall  consult  with  State  law  enforcement  officials,  health 

23  care  providers,  patient  privacy  rights'  advocates,  and  other 

24  appropriate  persons,  to  gain  additional  information  re- 

25  garding  the  debarment  of  entities  under  subsection  (b) 


•S  573  IS 


I 

67 

1  and  the  best  methods  to  ensure  the  continuity  of  medical 

2  care. 

3  (d)  Report. — The  Attorney  General  shall  annually 

4  prepare  and  submit  to  the  Committee  on  the  Judiciary  of 

5  the  House  of  Representatives  and  the  Committee  on  the 

6  Judiciary  of  the  Senate  a  report  concerning  the  activities 

7  and  debarment  actions  taken  by  the  Attorney  General 

8  under  this  section. 

9  (e)  Assistance  To  Prevent  Criminal  Viola- 

10  TIONS. — The  Attorney  General,  in  cooperation  with  any 

1 1  other  appropriate  individual,  organization,  or  agency,  may 

12  provide  advice,  training,  technical  assistance,  and  guid- 

13  ance  regarding  ways  to  reduce  the  incidence  of  improper 

14  disclosure  of  protected  health  information. 

15  (f)  Relationship  to  Other  Authorities. — ^A  de- 

16  barment  imposed  under  this  section  shall  not  reduce  or 

17  diminish  the  authority  of  a  Federal,  State,  or  local  govern- 

18  mental  agency  or  court  to  penalize,  imprison,  fme,  sus- 

19  pend,  debar,  or  take  other  adverse  action  against  a  person, 

20  in  a  civil,  criminal,  or  administrative  proceeding. 
.21  CHAPTER  2— CIVIL  SANCTIONS 

22  SEC.  321.  CIVIL  PENALTY. 

23  (a)  Violation. — ^A  health  care  provider,  health  re- 

24  searcher,  health  plan,  health  oversight  agency,  public 

25  health  agency,  law  enforcement  agency,  employer,  health 
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1  or  life  insurer,  school,  or  university,  or  a  person  acting 

2  as  the  agent  of  any  such  person,  who  the  Secretary,  in 

3  consultation  with  the  Attorney  General,  determines  has 

4  substantially  and  materially  failed  to  comply  with  this  Act 

5  shall  be  subject,  in  addition  to  any  other  penalties  that 

6  may  be  prescribed  by  law — 

7  (1)  in  a  case  in  which  the  violation  relates  to 

8  title  I,  to  a  civil  penalty  of  not  more  than  $500  for 

9  each  such  violation,  but  not  to  exceed  $5000  in  the 

10  aggregate  for  multiple  violations; 

11  (2)  in  a  case  in  which  the  violation  relates  to 

12  title  II,  to  a  civil  penalty  of  not  more  than  $10,000 

13  for  each  such  violation,  but  not  to  exceed  $50,000 

14  in  the  aggregate  for  multiple  violations;  or 

15  (3)  in  a  case  in  which  the  Secretary  finds  that 

16  such  violations  have  occurred  with  such  frequency  as 

17  to  constitute  a  general  business  practice,  to  a  cvvil 

18  penalty  of  not  more  than  $100,000. 

19  (b)  Procedures  for  Imposition  op  Penalties. — 

20  Section  1128A  of  the  Social  Security  Act  (42  U.S.C. 

21  1320a-7a),  other  than  subsections  (a)  and  (b)  and  the  sec- 

22  ond  sentence  of  subsection  (f)  of  that  section,  shall  apply 

23  to  the  imposition  of  a  civil,  monetary,  or  exclusionary  pen- 

24  alty  under  this  section  in  the  same  manner  as  such  provi- 
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1  sions  apply  with  respect  to  the  imposition  of  a  penalty 

2  under  section  1128A  of  such  Act. 

3  SEC.  322.  PROCEDURES  FOR  IMPOSITION  OF  PENALTIES. 

4  (a)  Initiation  of  Proceedings  — 

5  (1)  In  general. — The  Secretary,  in  consulta- 

6  tion  with  the  Attorney  General,  may  initiate  a  pro- 

7  ceeding  to  determine  whether  to  impose  a  civil 

8  money  penalty  under  section  321.  The  Secretary 

9  may  not  initiate  an  action  under  this  section  with  re- 

10  spect  to  any  violation  described  in  section  321  after 

11  the  expiration  of  the  6-year  period  beginning  on  the 

12  date  on  which  such  violation  was  alleged  to  have  oc- 

13  curred.  The  Secretary  may  initiate  an  action  under 

14  this  section  by  serving  notice  of  the  action  in  any 

15  manner  authorized  by  Rule  4  of  the  Federal  Rules 

16  of  Civil  Procedure. 

17  (2)  Notice  and  opportunity  for  hear- 

18  ING. — The  Secretary  shall  not  make  a  determination 

19  adverse  to  any  person  under  paragraph  (1)  until  the 

20  person  has  been  given  written  notice  and  an  oppor- 

21  tunity  for  the  determination  to  be  made  on  the 

22  record  after  a  hearing  at  which  the  person  is  entitled 

23  to  be  represented  by  counsel,  to  present  witnesses, 

24  and  to  cross-examine  witnesses  against  the  person. 
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1  (3)  Estoppel. — In  a  proceeding  under  para- 

2  graph  (1)  that — 

3  (A)  is  against  a  person  who  has  been  con- 

4  victed  (whether  upon  a  verdict  after  trial  or 

5  upon  a  plea  of  guilty  or  nolo  contendere)  of  a 

6  crime  under  section  2801  of  title  18,  United 

7  States  Code;  and 

8  (B)  involves  the  same  conduct  as  in  the 

9  criminal  action; 

10  the  person  is  estopped  from  denying  the  essential 

1 1  elements  of  the  criminal  offense. 

12  (4)  Sanctions  for  failure  to  comply. — 

13  The  official  conducting  a  hearing  under  this  section 

14  may  sanction  a  person,  including  any  party  or  attor- 

15  ney,  for  failing  to  comply  with  an  order  or  proce- 

16  dure,  faihng  to  defend  an  action,  or  other  mis- 

17  conduct  as  would  interfere  with  the  speedy,  orderly, 

18  or  fair  conduct  of  the  hearing.  Such  sanction  shall 

19  reasonably  relate  to  the  severity  and  nature  of  the 

20  failure  or  misconduct.  Such  sanction  may  include — 

21  (A)  in  the  case  of  refusal  to  provide  or  per- 

22  mit  discovery,  drawing  negative  factual  infer- 

23  ences  or  treating  such  refusal  as  an  admission 

24  by  deeming  the  matter,  or  certain  facts,  to  be 

25  established; 
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1  (B)  prohibiting  a  party  from  introducing 

2  certain  evidence  or  otherwise  supporting  a  par- 

3  ticular  claim  or  defense; 

4  (C)  striking  pleadings,  in  whole  or  in  part; 

5  (D)  staying  the  proceedings; 

6  (E)  dismissal  of  the  action; 

7  (F)  entering  a  default  judgment; 

8  (G)  ordering  the  party  or  attorney  to  pay 

9  attorneys'  fees  and  other  costs  caused  by  the 

10  failure  or  misconduct;  and 

11  (H)  refusing  to  consider  any  motion  or 

12  other  action  which  is  not  filed  in  a  timely  man- 

13  ner. 

14  (b)    Scope   of   Penalty. — In   determining  the 

15  amount  or  scope  of  any  penalty  imposed  pursuant  to  sec- 

16  tion  321,  the  Secretary  shall  take  into  account — 

17  (1)  the  nature  of  claims  and  the  circumstances 

18  under  which  they  were  presented; 

19  (2)  the  degree  of  culpabihty,  histoiy  of  prior  of- 

20  fenses,  and  financial  condition  of  the  person  against 

21  whom  the  claim  is  brought;  and 

22  (3)  such  other  matters  as  justice  may  require. 

23  (c)  Review  of  Determination. — 

24  (1)  In  general. — ^Any  person  adversely  af- 

25  fected  by  a  determination  of  the  Secretary  under 
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1  this  section  may  obtain  a  review  of  such  determina- 

2  tion  in  the  United  States  Court  of  Appeals  for  the 

3  circuit  in  which  the  person  resides,  or  in  which  the 

4  claim  was  presented,  by  filing  in  such  court  (within 

5  60  days  following  the  date  the  person  is  notified  of 

6  the  determination  of  the  Secretary  a  written  petition 

7  requesting  that  the  determination  be  modified  or  set 

8  aside. 

9  (2)  Filing  op  record. — copy  of  the  petition 

10  filed  under  paragraph  (1)  shall  be  forthwith  trans- 

11  mitted  by  the  clerk  of  the  court  to  the  Secretary, 

12  and  thereupon  the  Secretary  shall  file  in  the  Court 

13  the  record  in  the  proceeding  as  provided  in  section 

14  2112  of  title  28,  United  States  Code.  Upon  such  fil- 

15  ing,  the  court  shall  have  jurisdiction  of  the  proceed- 

16  ing  and  of  the  question  determined  therein,  and 

17  shall  have  the  power  to  make  and  enter  upon  the 

18  pleadings,  testimony,  and  proceedings  set  forth  in 

19  such  record  a  decree  affirming,  modifying,  remand- 

20  ing  for  further  consideration,  or  setting  aside,  in 

21  whole  or  in  part,  the  determination  of  the  Secretary 

22  and  enforcing  the  same  to  the  extent  that  such  order 

23  is  affirmed  or  modified. 

24  (3)  Consideration  of  objections. — No  ob- 

25  jection  that  has  not  been  raised  before  the  Secretary 
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1  with  respect  to  a  determination  described  in  para- 

2  graph  (1)  shall  be  considered  by  the  court,  unless 

3  the  failure  or  neglect  to  raise  such  objection  shall  be 

4  excused  because  of  extraordinary  circumstances. 

5  (4)  Findings. — The  findings  of  the  Secretary 

6  with  respect  to  questions  of  fact  in  an  action  under 

7  this  subsection,  if  supported  by  substantial  evidence 

8  on  the  record  considered  as  a  whole,  shall  be  conclu- 

9  sive.  If  any  party  shall  apply  to  the  court  for  leave 

10  to  adduce  additional  evidence  and  shall  show  to  the 

11  satisfaction  of  the  court  that  such  additional  evi- 

12  dence  is  material  and  that  there  were  reasonable 

13  grounds  for  the  failure  to  adduce  such  evidence  in 

14  the  hearing  before  the  Secretary,  the  court  may 

15  order  such  additional  evidence  to  be  taken  before  the 

16  Secretary  and  to  be  made  a  part  of  the  record.  The 

17  Secretary  may  modify  findings  as  to  the  facts,  or 

18  make  new  findings,  by  reason  of  additional  evidence 

19  so  taken  and  filed,  and  shall  file  with  the  court  such 

20  modified  or  new  findings,  and  such  findings  with  re- 

21  spect  to  questions  of  fact,  if  supported  by  substan- 

22  tial  evidence  on  the  record  considered  as  a  whole, 

23  and  the  recommendations  of  the  Secretary,  if  any, 

24  for  the  modification  or  setting  aside  of  the  original 

25  order,  shall  be  conclusive. 
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1  (5)  Exclusive  jurisdiction. — Upon  the  filing 

2  of  the  record  with  the  court  under  paragraph  (2), 

3  the  jurisdiction  of  the  court  shall  be  exclusive  and  its 

4  judgment  and  decree  shall  be  final,  except  that  the 

5  same  shall  be  subject  to  review  by  the  Supreme 

6  Court  of  the  United  States,  as  provided  for  in  sec- 

7  tion  1254  of  title  28,  United  States  Code. 

8  (d)  Recovery  of  Penalties. — 

9  (1)  In  general. — Civil  money  penalties  im- 

10  posed  under  this  chapter  may  be  compromised  by 

1 1  the  Secretary  and  may  be  recovered  in  a  civil  action 

12  in  the  name  of  the  United  States  brought  in  United 

13  States  district  court  for  the  district  where  the  claim 

14  was  presented,  or  where  the  claimant  resides,  as  de- 

15  termined  by  the  Secretary.  Amounts  recovered  under 

16  this  section  shall  be  paid  to  the  Secretary  and  depos- 

17  ited  as  miscellaneous  receipts  of  the  Treasury  of  the 

18  United  States. 

19  (2)  Deduction  from  amounts  owing. — The 

20  amount  of  any  penalty,  when  finally  determined 

21  under  this  section,  or  the  amount  agreed  upon  in 

22  compromise  under  paragraph  (1),  may  be  deducted 

23  from  any  sum  then  or  later  owing  by  the  United 

24  States  or  a  State  to  the  person  against  whom  the 

25  penalty  has  been  assessed. 
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1  (e)  Determination  Final. — determination  by 

2  the  Secretary  to  impose  a  penalty  under  section  321  shall 

3  be  final  upon  the  expiration  of  the  60-day  period  referred 

4  to  in  subsection  (c)(1).  Matters  that  were  raised  or  that 

5  could  have  been  raised  in  a  hearing  before  the  Secretary 

6  or  in  an  appeal  pursuant  to  subsection  (c)  may  not  be 

7  raised  as  a  defense  to  a  civil  action  by  the  United  States 

8  to  collect  a  penalty  under  section  321. 

9  (f)  Subpoena  Authority. — 

10  (1)  In  general. — For  the  purpose  of  any 

11  hearing,  investigation,  or  other  proceeding  author- 

12  ized  or  directed  under  this  section,  or  relative  to  any 

13  other  matter  within  the  jurisdiction  of  the  Secretary 

14  hereunder,  the  Secretary  shall  have  the  power  to 

15  issue  subpoenas  requiring  the  attendance  and  testi- 

16  mony  of  witnesses  and  the  production  of  any  evi- 

17  dence  that  relates  to  any  matter  under  investigation 

18  or  in  question.  Such  attendance  of  witnesses  and 

19  production  of  evidence  at  the  designated  place  of 

20  such  hearing,  investigation,  or  other  proceeding  may 

21  be  required  from  any  place  in  the  United  States  or 

22  in  any  Territory  or  possession  thereof. 

23  (2)    Service. — Subpoenas   of  the  Secretary 

24  under  paragraph  (1)  shall  be  served  by  anyone  au- 
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1  thorized  by  the  Secretary  by  delivering  a  copy  there- 

2  of  to  the  individual  named  therein. 

3  (3)  Proof  of  service. — verified  return  by 

4  the  individual  serving  the  subpoena  under  this  sub- 

5  section  setting  forth  the  manner  of  service  shall  be 

6  proof  of  service. 

7  (4)  Fees. — ^Witnesses  subpoenaed  under  this 

8  subsection  shall  be  paid  the  same  fees  and  mileage 

9  as  are  paid  witnesses  in  the  district  court  of  the 

10  United  States. 

11  (5)  Refusal  to  obey. — In  case  of  contumacy 

12  by,  or  refusal  to  obey  a  subpoena  duly  served  upon, 

13  any  person,  any  district  court  of  the  United  States 

14  for  the  judicial  district  in  which  such  person  charged 

15  with  contumacy  or  refusal  to  obey  is  found  or  re- 

16  sides  or  transacts  business,  upon  application  by  the 

17  Secretary,  shall  have  jurisdiction  to  issue  an  order 

18  requiring  such  person  to  appear  and  give  testimony, 

19  or  to  appear  and  produce  evidence,  or  both.  Any  fail- 

20  ure  to  obey  such  order  of  the  court  may  be  punished 

21  by  the  court  as  contempt  thereof. 

22  (g)  Injunctive  Relief. — ^Whenever  the  Secretary 

23  has  reason  to  beheve  that  an}^  person  has  engaged,  is  en- 

24  gaging,  or  is  about  to  engage  in  any  activity  which  makes 

25  the  person  subject  to  a  civil  monetary  penalty  under  sec- 
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1  tion  321,  the  Secretary  may  bring  an  action  in  an  appro- 

2  priate  district  court  of  the  United  States  (or,  if  apphcable, 

3  a  United  States  court  of  any  territory)  to  enjoin  such  ac- 

4  tivity,  or  to  enjoin  the  person  from  conceahng,  removing, 

5  encumbering,  or  disposing  of  assets  which  may  be  required 

6  in  order  to  pay  a  civil  monetary  penalty  if  any  such  pen- 

7  alty  were  to  be  imposed  or  to  seek  other  appropriate  relief. 

8  (h)  Agency. — principal  is  jointly  and  severally  ha- 

9  ble  with  the  principal's  agent  for  penalties  under  section 

10  321  for  the  actions  of  the  principal's  agent  acting  within 

1 1  the  scope  of  the  agency. 

12  SEC.  323.  CIVIL  ACTION  BY  INDIVroUALS. 

13  (a)  In  General. — ^Any  individual  whose  rights  under 

14  this  Act  have  been  knowingly  or  negligently  violated  may 

15  bring  a  civil  action  to  recover — 

16  (1)  such  preliminary  and  equitable  relief  as  the 

17  court  determines  to  be  appropriate;  and 

18  (2)  the  greater  of  compensatory  damages  or  liq- 

19  uidated  damages  of  $5,000. 

20  (b)  Punitive  Damages. — In  any  action  brought 

21  under  this  section  in  which  the  individual  has  prevailed 

22  because  of  a  knowing  violation  of  a  provision  of  this  Act, 

23  the  court  may,  in  addition  to  any  relief  awarded  under 

24  subsection  (a),  award  such  punitive  damages  as  may  be 

25  warranted. 
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1  (c)  Attorney's  Fees. — In  the  case  of  a  civil  action 

2  brought  under  subsection  (a)  in  which  the  individual  has 

3  substantially  prevailed,  the  court  may  assess  against  the 

4  respondent  a  reasonable  attorney's  fee  and  other  litigation 

5  costs  and  expenses  (including  expert  fees)  reasonably  in- 

6  curred. 

7  (d)  Limitation. — No  action  may  be  commenced 

8  under  this  section  more  than  3  years  after  the  date  on 

9  which  the  violation  was  or  should  reasonably  have  been 

10  discovered. 

1 1  (e)  Agency. — ^A  principal  is  jointly  and  severally  ha- 

12  ble  with  the  principal's  agent  for  damages  under  this  sec- 

13  tion  for  the  actions  of  the  principal's  agent  acting  within 

14  the  scope  of  the  agency. 

15  (f)  Additional  Remedies. — The  equitable  relief  or 

16  damages  that  may  be  available  under  this  section  shall  be 

17  in  additional  to  any  other  lawful  remedy  or  award  avail- 

18  able. 

19  TITLE  IV— MISCELLANEOUS 

20  SEC.  401.  RELATIONSHIP  TO  OTHER  LAWS. 

21  (a)  Federal  and  State  Laws. — Nothing  in  this 

22  Act  shall  be  construed  as  preempting,  superseding,  or  re- 

23  peaHng,  expHcitly  or  implicitly,  other  Federal  or  State  laws 

24  or  regulations  relating  to  protected  health  information  or 

25  relating  to  an  individual's  access  to  protected  health  infor- 
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1  mation  or  health  care  services,  if  such  laws  or  reflations 

2  provide  protections  for  the  rights  of  individuals  to  the  pri- 

3  vacy  of,  and  access  to,  their  health  information  that  are 

4  greater  than  those  provided  for  in  this  Act. 

5  (b)  Privileges. — Nothing  in  this  Act  shall  be  con- 

6  strued  to  preempt  or  modify  any  provisions  of  State  statu- 

7  tory  or  common  law  to  the  extent  that  such  law  concerns 

8  a  privilege  of  a  witness  or  person  in  a  court  of  that  State. 

9  This  Act  shall  not  be  construed  to  supersede  or  modify 

10  any  provision  of  Federal  statutory  or  common  law  to  the 

1 1  extent  such  law  concerns  a  privilege  of  a  witness  or  person 

12  in  a  court  of  the  United  States.  Authorizations  pursuant 

13  to  section  202  shall  not  be  construed  as  a  waiver  of  any 

14  such  privilege. 

15  (c)  Certain  Duties  Under  Law. — Nothing  in  this 

16  Act  shall  be  construed  to  preempt,  supersede,  or  modify 

17  the  operation  of  any  State  law  that — 

18  (1)  provides  for  the  reporting  of  vital  statistics 

19  such  as  birth  or  death  information; 

20  (2)  requires  the  reporting  of  abuse  or  neglect 

21  information  about  any  individual; 

22  (3)  regulates  the  disclosure  or  reporting  of  in- 

23  formation  concerning  an  individual's  mental  health; 

24  or 
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1  (4)  governs  a  minor's  rights  to  access  protected 

2  health  information  or  health  care  services. 

3  (d)  Federal  Privacy  Act. — 

4  (1)  Medical  exemptions. — Section  552a  of 

5  title  5,  United  States  Code,  is  amended  by  adding 

6  at  the  end  the  following: 

7  ''(w)   Certain  Protected  Health  Informa- 

8  TION. — The  head  of  an  agency  that  is  a  health  care  pro- 

9  vider,  health  plan,  health  oversight  agency,  employer,  in- 

10  surer,  health  or  life  insurer,  school  or  university,  or  person 

11  who  receives  protected  health  information  under  section 

12  204  of  the  Medical  Information  Privacy  and  Security  Act 

13  shall  promulgate  rules,  in  accordance  with  the  require- 

14  ments  (including  general  notice)  of  subsections  (b)(1), 

15  (b)(2),  (b)(3),  (c),  (e)  of  section  553  of  this  title,  to  ex- 

16  empt  a  system  of  records  within  the  agency,  to  the  extent 

17  that  the  system  of  records  contains  protected  health  infor- 

18  mation  (as  defined  in  section  4  of  such  Act),  from  all  pro- 

19  visions  of  this  section  except  subsections  (b)(6),  (d), 

20  (e)(1),  (e)(2),  subparagraphs  (A)  through  (C)  and  (E) 

21  through  (I)  of  subsection  (e)(4),  and  subsections  (e)(5), 

22  (e)(6),  (e)(9),  (e)(12),  (1),  (n),  (o),  (p),  ,  (r),  and  (u).". 

23  (2)  Technical       amendment. — Section 

24  552a(f)(3)  of  title  5,  United  States  Code,  is  amend- 

25  ed  by  striking  "pertaining  to  him,"  and  all  that  fol- 
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1  lows  through  the  semicolon  and  inserting  "pertain- 

2  ing  to  the  individual." 

3  (e)  Constitution. — Nothing  in  this  Act  shall  be 

4  construed  to  alter,  diminish,  or  otherwise  weaken  existing 

5  legal  standards  under  the  Constitution  regarding  the  con- 

6  fidentiality  of  protected  health  information. 

7  SEC.  402.  EFFECTIVE  DATE. 

8  (a)  Effective  Date. — Unless  specifically  provided 

9  for  otherwise,  this  Act  shall  take  effect  on  the  date  that 

10  is  12  months  after  the  date  of  the  promulgation  of  the 

11  regulations  required  under  subsection  (b),  or  30  months 

12  after  the  date  of  enactment  of  this  Act,  whichever  is  ear- 

13  lier. 

14  (b)  Regulations. — Not  later  than  12  months  after 

15  the  date  of  enactment  of  this  Act,  or  as  specifically  pro- 

16  vided  for  otherwise,  the  Secretary  shall  promulgate  regula- 

17  tions  implementing  this  Act. 
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